From owner-freebsd-security Tue Mar 28 6:19: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 0EFEB37BDE6 for ; Tue, 28 Mar 2000 06:19:01 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id IAA65162; Tue, 28 Mar 2000 08:18:39 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <38E0BF25.12B112C5@origen.com> Date: Tue, 28 Mar 2000 08:18:13 -0600 From: Richard Martin X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: John Fitzgibbon Cc: keramida@ceid.upatras.gr, freebsd-security@FreeBSD.ORG Subject: Re: Publishing Firewall Logs References: <003801bf9688$87418540$040ba8c0@fitz> <20000326161722.A5903@hades.hell.gr> <001701bf9777$9481cc20$040ba8c0@fitz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just a postscript here on a different thought. My question is on usefulness of the information in the logs. We log most of the deny packets on our firewalls and these are reviewed frequently. We run down the more serious looking ones, and I must say that in my experience about 60% of the scans that we get are from bogus IPs. Some are also quite clever, using unused IP addresses in our network. Until there is a more global use of outbound packet checking by ISPs, I am afraid that a lot of people may just be filling up their hosts.allow file with chaff. I would likewise bet the information in the logs contains a lot of spoofed IPs. -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message