From owner-freebsd-questions Sun May 26 4:17: 0 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.tninet.se (lennier.tninet.se [195.100.94.105]) by hub.freebsd.org (Postfix) with ESMTP id 13F4237B404 for ; Sun, 26 May 2002 04:16:50 -0700 (PDT) Received: from pcmarpxy.tninet.se (bb-62-5-36-29.bb.tninet.se [62.5.36.29]) by lennier.tninet.se (BMR ErlangTM/OTP 3.0) with ESMTP id 221197.412025.1022.1s37637058lennier ; Sun, 26 May 2002 13:20:25 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Mark Rowlands To: "Chad Albert" , "freebsd-questions" Subject: Re: ipfw and logging TCP flags Date: Sun, 26 May 2002 13:16:47 +0200 X-Mailer: KMail [version 1.4] References: <005601c203b2$9ec221e0$15010f0a@SPGCALBERTA> <200205251147.46953.mark.rowlands@minmail.net> <200205251214.21648.mark.rowlands@minmail.net> In-Reply-To: <200205251214.21648.mark.rowlands@minmail.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205261316.47069.mark.rowlands@minmail.net> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Saturday 25 May 2002 12:14 pm, Mark Rowlands wrote: > On Saturday 25 May 2002 11:47 am, Mark Rowlands wrote: > > On Saturday 25 May 2002 8:08 am, Chad Albert wrote: > > > Does anyone know how to get IP Firewall to report what TCP flags (s= yn, > > > syn+ack, fin, etc...) were set in the logged packets? As it is > > > configured on my box right now, I don't really know how someone is > > > probing a port when they are probing. It is not terribly important= , > > > but it would be nice to see in my logs. > > > > http://archives.neohapsis.com/archives/freebsd/2000-12/0222.html > > is what you looking for I think.... > > > > > > not tested by me, your mileage may vary, this way up, use no hooks. > > and further investigation reveals > > http://people.freebsd.org/~cjc/ipfw_verbose_stable.patch > > and now tested...... gives sysctl net.inet.ip.fw.verbose=3D4 May 26 13:02:08 pcmarpxy /kernel: ipfw: 2 Accept TCP 192.168.0.2:2932=20 194.213.75.109:80 f=3D11 s=3Ddeaee460 a=3D9bb20d9c in via xl0 where f=3Dhex representation of tcpflags fin syn rst psh ack urg 01 02 04 08 16 32 (decimal) 01 02 04 08 10 20 (hex) so in this instance f=3D11 which implies syn and ack set .....which with = crafty=20 hping packet....they certainly were. sysctl net.inet.ip.fw.verbose=3D2 May 26 13:05:03 pcmarpxy /kernel: ipfw: 2 Accept TCP 192.168.0.2:2101=20 192.168.0.1:64 in via xl0 [tos 0x00] (ttl 64, id 65496, len 40) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message