From owner-freebsd-security  Sun Jul 30 12:42: 4 2000
Delivered-To: freebsd-security@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 608)
	id 447F937B6C1; Sun, 30 Jul 2000 12:42:02 -0700 (PDT)
From: "Jonathan M. Bresler" <jmb@hub.freebsd.org>
To: stephen@math.missouri.edu
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: <397E4487.A868B713@math.missouri.edu> (message from Stephen
	Montgomery-Smith on Tue, 25 Jul 2000 20:53:11 -0500)
Subject: Re: log with dynamic firewall rules
Message-Id: <20000730194202.447F937B6C1@hub.freebsd.org>
Date: Sun, 30 Jul 2000 12:42:02 -0700 (PDT)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> 
> Stephen Montgomery-Smith wrote:
> > 
> > I would like to set up a firewall with dynamic rules to allow
> > ssh from the outside.  I would like these incoming ssh's logged.
> > So I tried something like:
> > 
> > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup
> > 
> 
> OK, does everyone else agree with me that if an ipfw rule is logged
> and keep-state, then one only needs to log when the rule is established -
> not every time a packet passes through it?

	adding an option to log only the packet that triggers the
creation of the dynamic rule would be an excellent addition to ipfw.

as you wrote in a later email, one option to log all packets
(inherited by the dynamic rule) and one option to log the triggering
packet only.

jmb


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message