From owner-freebsd-security  Fri Jun 18 17:22: 8 1999
Delivered-To: freebsd-security@freebsd.org
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24])
	by hub.freebsd.org (Postfix) with ESMTP id 8EA6215185
	for <freebsd-security@FreeBSD.ORG>; Fri, 18 Jun 1999 17:22:03 -0700 (PDT)
	(envelope-from avalon@cheops.anu.edu.au)
Received: (from avalon@localhost)
	by cheops.anu.edu.au (8.9.1/8.9.1) id KAA26497;
	Sat, 19 Jun 1999 10:21:35 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <199906190021.KAA26497@cheops.anu.edu.au>
Subject: Re: ipf howto, tada
To: jwyatt@RWSystems.net (James Wyatt)
Date: Sat, 19 Jun 1999 10:21:34 +1000 (EST)
Cc: synk@swcp.com, freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.05.9906180939200.6084-100000@kasie.rwsystems.net> from "James Wyatt" at Jun 18, 99 09:54:39 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from James Wyatt, sie said:
> 
> On Fri, 18 Jun 1999, Darren Reed wrote:
[...]
> > > pass out quick proto tcp from 200.200.200.1/32 to any keep state
> > 
> > This can be in or out...essentially when the packet first crosses your
> > perimeter.  If it is a locally made connection going out then the above
> > is correct.  If it is from another host on your LAN going through your
> > IP Filter firewall, then it should be "pass in" on the LAN interface.
> 
> I've been considering the value of a 'firewall' interface that could track
> how long a TCP session was open. If you get in on anything but ssh/rsh and
> telnet for more than 5 min, it would trip... I've also wondered if it's
> keeping state, if it could feed start/end time when the session closed?

If you run ipmon as with the "-a" command line option, it will display all
log information generated by IP Filter.  This includes changes to the state
table, changes to the NAT table and of course packets logged according to
normal packet filtring rules.

For example, an NTP query shows up like this:

23/02/1999 00:00:36.340843 STATE:NEW 1.2.3.4,123 -> 5.6.7.8,123 PR udp
23/02/1999 00:01:36.374508 STATE:CLOSE 1.2.3.4,123 -> 5.6.7.8,123 PR udp Pkts 2 Bytes 152

And a NAT'd scp connection as follows:

28/02/1999 23:46:16.990175 @3 NAT:MAP 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22]
28/02/1999 23:47:03.060326 @3 NAT:EXPIRE 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22] Pkts 381 Bytes 117234

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message