From owner-freebsd-questions Mon Oct 14 15: 1:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CF7A37B401 for ; Mon, 14 Oct 2002 15:01:05 -0700 (PDT) Received: from mpls-qmqp-03.inet.qwest.net (mpls-qmqp-03.inet.qwest.net [63.231.195.114]) by mx1.FreeBSD.org (Postfix) with SMTP id EF90543EB2 for ; Mon, 14 Oct 2002 15:01:03 -0700 (PDT) (envelope-from maildrop@qwest.net) Received: (qmail 67740 invoked by uid 0); 14 Oct 2002 21:57:38 -0000 Received: from unknown (63.231.195.3) by mpls-qmqp-03.inet.qwest.net with QMQP; 14 Oct 2002 21:57:38 -0000 Received: from unknown (HELO jenny) (63.231.238.226) by mpls-pop-03.inet.qwest.net with SMTP; 14 Oct 2002 22:01:03 -0000 Date: Mon, 14 Oct 2002 17:09:43 -0500 Message-ID: From: "Maildrop" To: "Crist J. Clark" , "Maildrop" Cc: freebsd-questions@freebsd.org Subject: RE: monitor ALL connections to ALL ports MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20021014205437.GA21823@blossom.cjclark.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I moved this thread to freebsd-questions@freebsd.org due to a request that freebsd-security@freebsd.org was an inapropate place to discuss this issuse. >On Mon, Oct 14, 2002 at 02:31:05PM -0500, Maildrop wrote: >> >> I put these rule in: >> >> ipfw add count log all from any to any >> >> I am getting messages in my log (/var/log/all.log) that appears like this: >> Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161 >> from 192.168.17.1:1166 > >That's a log_in_vain message, not ipfw(8). > >> Which is exactly, what I want, but there is a couple isses: >> >> 1) It only logs "failed" connects. If I try to `telnet localhost 55`, it >> will log that, but if I do a `telnet locahost 80` (where web server is >> running) the connection is valid and doesn't log it. > >Right, that's how log_in_vain works. > (from tcp(4)) tcp.log_in_vain Log any connection attempts to ports where there is not a socket accepting connections. The value of 1 limits the logging to SYN (connection establishment) packets only. That of 2 results in any TCP packets to closed ports being logged. Any value unlisted above disables the logging (default is 0, i.e., the logging is disabled). '1' is limited to connection established (valid connections) and '2' is limited to connection failed... how do I get both failed AND established from log_in_vain? I want to log all connections, regardless if they failed or successed, regardless if they have a daemon running on that port or not. Currently, they are both set as '1': net.inet.tcp.log_in_vain: 1 net.inet.udp.log_in_vain: 1 >> 2) How do I setup Syslog for this? ipfw man page says it logs to >> LOG_SECURITY facility. I want to log all connections (failed or not), into >> one file.. >> >> This is what I currently have in my syslogd.conf file (the log above I am >> pulling from all.log): >> >> security.* /var/log/security >> log.security /var/log/ipfw.log >> >> Both these files are empty :( I restarted syslogd. > >The second one should give you an error. The first one should catch >ipfw(8) logging. You did rebuild your kernel with IPFIREWALL and >IPFIREWALL_VERBOSE, right? > Yep. 4.7-release: options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPSTEALTH #support for stealth forwarding Kernel that is currently running (from kernel config above, clean reboot and didn't change anything sysctl): net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.static_count: 7 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_grace_time: 10 net.link.ether.ipfw: 0 Something weird that I found: hydra# ipmon -D /var/log/ipfw.log /dev/ipl: open: Device not configured hydra# file /dev/ipl /dev/ipl: character special (79/0) hydra# grep ipmon /etc/rc.conf ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" Is ipmon part of ipfw? hydra# cd /var/log hydra# ls -l ipfw* -rw-r--r-- 1 root wheel 0 Oct 14 13:26 ipfw.log -rw------- 1 root wheel 163 Oct 13 03:05 ipfw.today -rw------- 1 root wheel 151 Oct 12 03:07 ipfw.yesterday hydra# cat ipfw.log hydra# cat ipfw.today 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65535 0 0 deny ip from any to any hydra# cat ipfw.yesterday 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65535 0 0 deny ip from any to any hydra# ipfw list 00050 divert 8668 ip from any to any via dc1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65100 count log logamount 100 ip from any to any 65535 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message