Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Oct 2002 12:58:05 -0500
From:      "Maildrop" <maildrop@qwest.net>
To:        "Krzysztof Zaraska" <kzaraska@student.uci.agh.edu.pl>, "Mike Hoskins" <mike@adept.org>, "Maildrop" <maildrop@qwest.net>
Cc:        freebsd-security@freebsd.org
Subject:   RE: FW: monitor ALL connections to ALL ports
Message-ID:  <NGBBIILBAKIFGHHCHOHPEECLFKAA.maildrop@qwest.net>
In-Reply-To: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 

Yep, this is exactly what I am looking for.  All packets, is a bit heavy on
my hard drive :P  This only works with tcp though, is there any thing to
watch udp packets (like the first packet from a host on a certain port?)  I
know udp might be tougher, since it is stateless.

> -----Original Message-----
> From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl]
> Sent: Tuesday, October 15, 2002 10:57 AM
> To: Mike Hoskins; Maildrop
> Cc: freebsd-security@freebsd.org
> Subject: Re: FW: monitor ALL connections to ALL ports
>
>
> On Mon, 14 Oct 2002 14:58:50 -0700 (PDT)
> Mike Hoskins <mike@adept.org> wrote:
>
> > > I put these rule in:
> > > ipfw add count log all from any to any
> >
> > Is this rule before the other allow rules in your chain?  Since the rule
> > chain is parsed on a first-match basis, you'll either need this rule
> > before all others or you'll need to add log entires to each of your
> > other rules.
>
> There's another problem I can see here: this setup will generate a log
> entry on EVERY packet, what is clearly an overkill. I think it would be
> more useful to log only opening of the connection; this can be
> accomplished using for example a 'setup' keyword, e.g.:
>
> # Allow access to our WWW
> ${fwcmd} add pass log tcp from any to ${oip} 80 setup
>
>
> --
> // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
> // Prelude IDS: http://www.prelude-ids.org/
> // A dream will always triumph over reality, once it is given the chance.
> //		-- Stanislaw Lem
>
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NGBBIILBAKIFGHHCHOHPEECLFKAA.maildrop>