From owner-freebsd-questions Mon Oct 14 15:16:37 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7916F37B401 for ; Mon, 14 Oct 2002 15:16:34 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5360A43EAF for ; Mon, 14 Oct 2002 15:16:33 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021014221632.BPLU24595.sccrmhc02.attbi.com@blossom.cjclark.org>; Mon, 14 Oct 2002 22:16:32 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g9EMGVWn022655; Mon, 14 Oct 2002 15:16:31 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g9EMGQR6022654; Mon, 14 Oct 2002 15:16:26 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 14 Oct 2002 15:16:26 -0700 From: "Crist J. Clark" To: Maildrop Cc: freebsd-questions@FreeBSD.ORG Subject: Re: monitor ALL connections to ALL ports Message-ID: <20021014221626.GC21823@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20021014205437.GA21823@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Oct 14, 2002 at 05:09:43PM -0500, Maildrop wrote: > >On Mon, Oct 14, 2002 at 02:31:05PM -0500, Maildrop wrote: > >> > >> I put these rule in: > >> > >> ipfw add count log all from any to any > >> > >> I am getting messages in my log (/var/log/all.log) that appears like > this: > >> Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161 > >> from 192.168.17.1:1166 > > > >That's a log_in_vain message, not ipfw(8). > > > >> Which is exactly, what I want, but there is a couple isses: > >> > >> 1) It only logs "failed" connects. If I try to `telnet localhost 55`, it > >> will log that, but if I do a `telnet locahost 80` (where web server is > >> running) the connection is valid and doesn't log it. > > > >Right, that's how log_in_vain works. > > > > (from tcp(4)) > > tcp.log_in_vain Log any connection attempts to ports where there is > not a socket accepting connections. The value of 1 > limits the logging to SYN (connection establishment) > packets only. That of 2 results in any TCP packets > to > closed ports being logged. Any value unlisted above > disables the logging (default is 0, i.e., the > logging > is disabled). > > '1' is limited to connection established (valid connections) No, it's limited to SYN's at _closed_ ports. Read the first sentence again, "Log any connection attempts to ports where there is not a socket accepting connections." > and '2' is > limited to connection failed... how do I get both failed AND established > from log_in_vain? I want to log all connections, regardless if they failed > or successed, regardless if they have a daemon running on that port or not. log_in_vain doesn't do connections to listening ports. That's the job of what ever is listening. > Currently, they are both set as '1': > > net.inet.tcp.log_in_vain: 1 > net.inet.udp.log_in_vain: 1 > > >> 2) How do I setup Syslog for this? ipfw man page says it logs to > >> LOG_SECURITY facility. I want to log all connections (failed or not), > into > >> one file.. > >> > >> This is what I currently have in my syslogd.conf file (the log above I am > >> pulling from all.log): > >> > >> security.* /var/log/security > >> log.security /var/log/ipfw.log > >> > >> Both these files are empty :( I restarted syslogd. > > > >The second one should give you an error. The first one should catch > >ipfw(8) logging. You did rebuild your kernel with IPFIREWALL and > >IPFIREWALL_VERBOSE, right? [snip] > Something weird that I found: > > hydra# ipmon -D /var/log/ipfw.log > /dev/ipl: open: Device not configured > > hydra# file /dev/ipl > /dev/ipl: character special (79/0) > > hydra# grep ipmon /etc/rc.conf > ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or > ipnat > ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives > ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" > > Is ipmon part of ipfw? No, it's part of IPFilter. Here's your problem, > hydra# ipfw list > 00050 divert 8668 ip from any to any via dc1 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65100 count log logamount 100 ip from any to any > 65535 deny ip from any to any How is anything ever going to reach rule 65100? 65000 passes everything. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message