Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Oct 2004 17:48:00 +0300
From:      Nikos Vassiliadis <nvass@teledome.gr>
To:        freebsd-questions@freebsd.org, Spades <spades@galaxynet.org>
Subject:   Re: ipfw flooding in /var/log/ipfw.log
Message-ID:  <200410251748.00620.nvass@teledome.gr>
In-Reply-To: <064801c4ba99$169fcab0$0300a8c0@astral>
References:  <057501c4ba7d$d65a7fb0$0300a8c0@astral> <20041025133443.GA6371@shark.localdomain> <064801c4ba99$169fcab0$0300a8c0@astral>

next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 25 October 2004 16:46, Spades wrote:
> error:
>
> # ipfw add 900 allow log all from any to any setup
> ipfw: unknown argument ``setup''

setup is available only for TCP connections. So
ipfw add allow log logamount 0 tcp from any to any setup
would be the correct one. But this is hardly what
you want to do, since it matches only the three-way
handshake TCP does. The rest of the stream will
be dropped if your last rule(65535) is the default one
(deny ip from any to any)

This will log every TCP connection setup, and let the rest
of the stream flow:
allow log logamount 0 tcp from any to any setup
allow tcp from any to any

BUT this is not a firewall setup. It's just a TCP connection
logger. You should do a little reading about TCP/IP, in order
to understand how to setup a firewall.

Cheers, NikV

>
> ----- Original Message -----
> From: "Sergey Zaharchenko" <doublef@tele-kom.ru>
> To: "Spades" <spades@galaxynet.org>
> Cc: <freebsd-questions@freebsd.org>
> Sent: Monday, October 25, 2004 9:34 PM
> Subject: Re: ipfw flooding in /var/log/ipfw.log
> On Mon, Oct 25, 2004 at 06:31:49PM +0800,
>
>  Spades probably wrote:
> > this is my ipfw.rule for now
> > # ipfw add 900 allow log all from any to any
>
> <snip>
>
> > It will keep spitting this 2 lines as long i'm connected, how do i make
> > it such as it will log only one instance?
>
> You might want to change the rule to
>
> # ipfw add 900 allow log all from any to any setup
>                                              ^^^^^
> which only logs the (attempts to) set up a connection (the initail SYN
> packets). man ipfw has some interesting information on this.
>
> HTH,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410251748.00620.nvass>