From owner-freebsd-security  Tue Oct 15 11:42:46 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0302B37B401
	for <freebsd-security@freebsd.org>; Tue, 15 Oct 2002 11:42:45 -0700 (PDT)
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 219C243E9C
	for <freebsd-security@freebsd.org>; Tue, 15 Oct 2002 11:42:44 -0700 (PDT)
	(envelope-from kzaraska@student.uci.agh.edu.pl)
Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP
	id 6D0FF1F8F; Tue, 15 Oct 2002 18:42:38 +0000 (GMT)
Date: Tue, 15 Oct 2002 20:44:32 +0200
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: "Maildrop" <maildrop@qwest.net>
Cc: freebsd-security@freebsd.org
Subject: Re: FW: monitor ALL connections to ALL ports
Message-Id: <20021015204432.22f7be8d.kzaraska@student.uci.agh.edu.pl>
In-Reply-To: <NGBBIILBAKIFGHHCHOHPEECLFKAA.maildrop@qwest.net>
References: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl>
	<NGBBIILBAKIFGHHCHOHPEECLFKAA.maildrop@qwest.net>
X-Mailer: Sylpheed version 0.8.0 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 15 Oct 2002 12:58:05 -0500
"Maildrop" <maildrop@qwest.net> wrote:

> 
> Yep, this is exactly what I am looking for.  All packets, is a bit heavy
> on my hard drive :P  This only works with tcp though, is there any thing
> to watch udp packets (like the first packet from a host on a certain
> port?)  I know udp might be tougher, since it is stateless.

${fwcmd} add pass log udp from ${oip}:${omask} to any keep-state

This should handle outgoing UDP traffic. 

When a packet is matched, a dynamic rule matching packets being part of
the connection (same protocol, IP, and port numbers in both directions) is
added into the ruleset. Dynamic rule has a limited lifetime, and is
removed when expires. man ipfw for details, see information on
check-state, keep-state. 

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// Prelude IDS: http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message