From owner-freebsd-security Fri Jun 18 8:23:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 0FA3C14CBF for ; Fri, 18 Jun 1999 08:23:08 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2501 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 18 Jun 1999 09:54:40 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 18 Jun 1999 09:54:39 -0500 (CDT) From: James Wyatt To: Darren Reed Cc: Brendan Conoboy , freebsd-security@FreeBSD.ORG Subject: Re: ipf howto, tada In-Reply-To: <199906181039.UAA22257@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Darren Reed wrote: [ ... ] > > I prefer to run ipmon with as "ipmon -s" so it > > syslogs logged packets instead of having them dump to stdout. > > "ipmon /var/log/iplog" will save log entries direct to that file. ipmon > also handles SIGHUP as you would expect, closing and re-opening the log > file to allow for rotation. With newsyslog, this should be possible > without too much hassle. Who says you want to syslog to a plain ASCII file? > FWIW, you might like to mention the "log-or-block" option where it will > block a packet to be pass'd and logged if it cannot log it due to the > log buffer being too full. > > i.e. > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > Here we say only log the first packet for this connection as recorded by > "keep state", but if it can't be logged, then block it. Neat trick! Could this easily be used for DOS? I like, this idea, but want to understand it. If you filled the syslogs with dummy attempts, would it block access, preventing you from cycling syslog files? [ ... ] > > pass out quick proto tcp from 200.200.200.1/32 to any keep state > > This can be in or out...essentially when the packet first crosses your > perimeter. If it is a locally made connection going out then the above > is correct. If it is from another host on your LAN going through your > IP Filter firewall, then it should be "pass in" on the LAN interface. I've been considering the value of a 'firewall' interface that could track how long a TCP session was open. If you get in on anything but ssh/rsh and telnet for more than 5 min, it would trip... I've also wondered if it's keeping state, if it could feed start/end time when the session closed? Even if waiting for 5 min to tell you you're hacked wasn't a good idea, it might be nice to have such stats. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message