Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 19 Jun 1999 10:21:34 +1000 (EST)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        jwyatt@RWSystems.net (James Wyatt)
Cc:        synk@swcp.com, freebsd-security@FreeBSD.ORG
Subject:   Re: ipf howto, tada
Message-ID:  <199906190021.KAA26497@cheops.anu.edu.au>
In-Reply-To: <Pine.BSF.4.05.9906180939200.6084-100000@kasie.rwsystems.net> from "James Wyatt" at Jun 18, 99 09:54:39 am
next in thread | previous in thread | raw e-mail | index | archive | help 
In some mail from James Wyatt, sie said:
> 
> On Fri, 18 Jun 1999, Darren Reed wrote:
[...]
> > > pass out quick proto tcp from 200.200.200.1/32 to any keep state
> > 
> > This can be in or out...essentially when the packet first crosses your
> > perimeter.  If it is a locally made connection going out then the above
> > is correct.  If it is from another host on your LAN going through your
> > IP Filter firewall, then it should be "pass in" on the LAN interface.
> 
> I've been considering the value of a 'firewall' interface that could track
> how long a TCP session was open. If you get in on anything but ssh/rsh and
> telnet for more than 5 min, it would trip... I've also wondered if it's
> keeping state, if it could feed start/end time when the session closed?

If you run ipmon as with the "-a" command line option, it will display all
log information generated by IP Filter.  This includes changes to the state
table, changes to the NAT table and of course packets logged according to
normal packet filtring rules.

For example, an NTP query shows up like this:

23/02/1999 00:00:36.340843 STATE:NEW 1.2.3.4,123 -> 5.6.7.8,123 PR udp
23/02/1999 00:01:36.374508 STATE:CLOSE 1.2.3.4,123 -> 5.6.7.8,123 PR udp Pkts 2 Bytes 152

And a NAT'd scp connection as follows:

28/02/1999 23:46:16.990175 @3 NAT:MAP 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22]
28/02/1999 23:47:03.060326 @3 NAT:EXPIRE 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22] Pkts 381 Bytes 117234

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906190021.KAA26497>