From owner-freebsd-security Tue Mar 28 9:41:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 28A1937B588 for ; Tue, 28 Mar 2000 09:41:49 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1526 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 28 Mar 2000 11:37:21 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 28 Mar 2000 11:37:20 -0600 (CST) From: James Wyatt To: Richard Martin Cc: John Fitzgibbon , keramida@ceid.upatras.gr, freebsd-security@FreeBSD.ORG Subject: Re: Publishing Firewall Logs In-Reply-To: <38E0BF25.12B112C5@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Richard Martin wrote: [ ... ] > frequently. We run down the more serious looking ones, and I must say that in > my experience about 60% of the scans that we get are from bogus IPs. Some are > also quite clever, using unused IP addresses in our network. Until there is a > more global use of outbound packet checking by ISPs, I am afraid that a lot of > people may just be filling up their hosts.allow file with chaff. > > I would likewise bet the information in the logs contains a lot of spoofed > IPs. Thus you are providing a test anvil for their learning packet forging and knowing what makes it past your router filters into your host filters. That said, I've been thinking about making our logs viewable as well. It is a good training tool for my customers to see what they should expect. My 2 bits, literally - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message