Date: Mon, 25 Oct 2004 17:48:00 +0300 From: Nikos Vassiliadis <nvass@teledome.gr> To: freebsd-questions@freebsd.org, Spades <spades@galaxynet.org> Subject: Re: ipfw flooding in /var/log/ipfw.log Message-ID: <200410251748.00620.nvass@teledome.gr> In-Reply-To: <064801c4ba99$169fcab0$0300a8c0@astral> References: <057501c4ba7d$d65a7fb0$0300a8c0@astral> <20041025133443.GA6371@shark.localdomain> <064801c4ba99$169fcab0$0300a8c0@astral>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 25 October 2004 16:46, Spades wrote: > error: > > # ipfw add 900 allow log all from any to any setup > ipfw: unknown argument ``setup'' setup is available only for TCP connections. So ipfw add allow log logamount 0 tcp from any to any setup would be the correct one. But this is hardly what you want to do, since it matches only the three-way handshake TCP does. The rest of the stream will be dropped if your last rule(65535) is the default one (deny ip from any to any) This will log every TCP connection setup, and let the rest of the stream flow: allow log logamount 0 tcp from any to any setup allow tcp from any to any BUT this is not a firewall setup. It's just a TCP connection logger. You should do a little reading about TCP/IP, in order to understand how to setup a firewall. Cheers, NikV > > ----- Original Message ----- > From: "Sergey Zaharchenko" <doublef@tele-kom.ru> > To: "Spades" <spades@galaxynet.org> > Cc: <freebsd-questions@freebsd.org> > Sent: Monday, October 25, 2004 9:34 PM > Subject: Re: ipfw flooding in /var/log/ipfw.log > On Mon, Oct 25, 2004 at 06:31:49PM +0800, > > Spades probably wrote: > > this is my ipfw.rule for now > > # ipfw add 900 allow log all from any to any > > <snip> > > > It will keep spitting this 2 lines as long i'm connected, how do i make > > it such as it will log only one instance? > > You might want to change the rule to > > # ipfw add 900 allow log all from any to any setup > ^^^^^ > which only logs the (attempts to) set up a connection (the initail SYN > packets). man ipfw has some interesting information on this. > > HTH,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410251748.00620.nvass>