From owner-freebsd-security Mon Aug 10 19:15:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13243 for freebsd-security-outgoing; Mon, 10 Aug 1998 19:15:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13236 for ; Mon, 10 Aug 1998 19:15:07 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id OAA04342; Tue, 11 Aug 1998 14:12:47 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Tue, 11 Aug 1998 14:12:47 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Jesse cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw log limits by connection vs. rule In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 10 Aug 1998, Jesse wrote: > I was wondering if anyone knew/came up with some way of setting an ipfw > log limit that tracked by unique connection instead of by the ipfw rule. > That's probably not very clear, so I'll give an example of what I mean. > > Currently, if I have the rule > > 55000 deny log tcp from any to any setup > > and my ipfw log limit is 50, then if stranger.someplace.com sends 50 > packets to fbsd.mydomain.comport 23, I'll hit that log limit. Then he can > portscan all my other ports, without being logged. Also, if > stranger2.somewhere.org comes along, nothing from him will be logged > (under the same rule). You can set syslog.conf so that all messages from ipfw get piped to a script. I've had this in mind for a while, but not yet had the time to write it. Has anyone got a script set up to summarise this stuff as it comes in? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message