From owner-freebsd-security Tue Oct 15 10:44:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CBCB37B401 for ; Tue, 15 Oct 2002 10:44:45 -0700 (PDT) Received: from mpls-qmqp-04.inet.qwest.net (mpls-qmqp-04.inet.qwest.net [63.231.195.115]) by mx1.FreeBSD.org (Postfix) with SMTP id 7ACEB43E6A for ; Tue, 15 Oct 2002 10:44:44 -0700 (PDT) (envelope-from maildrop@qwest.net) Received: (qmail 41502 invoked by uid 0); 15 Oct 2002 17:44:25 -0000 Received: from unknown (63.231.195.4) by mpls-qmqp-04.inet.qwest.net with QMQP; 15 Oct 2002 17:44:25 -0000 Received: from unknown (HELO jenny) (63.231.238.226) by mpls-pop-04.inet.qwest.net with SMTP; 15 Oct 2002 17:44:43 -0000 Date: Tue, 15 Oct 2002 12:58:05 -0500 Message-ID: From: "Maildrop" To: "Krzysztof Zaraska" , "Mike Hoskins" , "Maildrop" Cc: freebsd-security@freebsd.org Subject: RE: FW: monitor ALL connections to ALL ports MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yep, this is exactly what I am looking for. All packets, is a bit heavy on my hard drive :P This only works with tcp though, is there any thing to watch udp packets (like the first packet from a host on a certain port?) I know udp might be tougher, since it is stateless. > -----Original Message----- > From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl] > Sent: Tuesday, October 15, 2002 10:57 AM > To: Mike Hoskins; Maildrop > Cc: freebsd-security@freebsd.org > Subject: Re: FW: monitor ALL connections to ALL ports > > > On Mon, 14 Oct 2002 14:58:50 -0700 (PDT) > Mike Hoskins wrote: > > > > I put these rule in: > > > ipfw add count log all from any to any > > > > Is this rule before the other allow rules in your chain? Since the rule > > chain is parsed on a first-match basis, you'll either need this rule > > before all others or you'll need to add log entires to each of your > > other rules. > > There's another problem I can see here: this setup will generate a log > entry on EVERY packet, what is clearly an overkill. I think it would be > more useful to log only opening of the connection; this can be > accomplished using for example a 'setup' keyword, e.g.: > > # Allow access to our WWW > ${fwcmd} add pass log tcp from any to ${oip} 80 setup > > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the chance. > // -- Stanislaw Lem > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message