Date: Fri, 18 Jun 1999 09:54:39 -0500 (CDT) From: James Wyatt <jwyatt@RWSystems.net> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: Brendan Conoboy <synk@swcp.com>, freebsd-security@FreeBSD.ORG Subject: Re: ipf howto, tada Message-ID: <Pine.BSF.4.05.9906180939200.6084-100000@kasie.rwsystems.net> In-Reply-To: <199906181039.UAA22257@cheops.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Jun 1999, Darren Reed wrote: [ ... ] > > I prefer to run ipmon with as "ipmon -s" so it > > syslogs logged packets instead of having them dump to stdout. > > "ipmon /var/log/iplog" will save log entries direct to that file. ipmon > also handles SIGHUP as you would expect, closing and re-opening the log > file to allow for rotation. With newsyslog, this should be possible > without too much hassle. Who says you want to syslog to a plain ASCII file? > FWIW, you might like to mention the "log-or-block" option where it will > block a packet to be pass'd and logged if it cannot log it due to the > log buffer being too full. > > i.e. > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > Here we say only log the first packet for this connection as recorded by > "keep state", but if it can't be logged, then block it. Neat trick! Could this easily be used for DOS? I like, this idea, but want to understand it. If you filled the syslogs with dummy attempts, would it block access, preventing you from cycling syslog files? [ ... ] > > pass out quick proto tcp from 200.200.200.1/32 to any keep state > > This can be in or out...essentially when the packet first crosses your > perimeter. If it is a locally made connection going out then the above > is correct. If it is from another host on your LAN going through your > IP Filter firewall, then it should be "pass in" on the LAN interface. I've been considering the value of a 'firewall' interface that could track how long a TCP session was open. If you get in on anything but ssh/rsh and telnet for more than 5 min, it would trip... I've also wondered if it's keeping state, if it could feed start/end time when the session closed? Even if waiting for 5 min to tell you you're hacked wasn't a good idea, it might be nice to have such stats. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9906180939200.6084-100000>