Date: Wed, 16 Oct 2002 10:48:01 +0200 From: <Danny.Carroll@mail.ing.nl> To: <maildrop@qwest.net> Cc: <freebsd-security@freebsd.org> Subject: RE: FW: monitor ALL connections to ALL ports Message-ID: <C6304883FB11E347AD4958D3F14EC00AE89354@ing.com>
next in thread | raw e-mail | index | archive | help
Something else you could do, if you want to put the effort into it is to write a program that accepts all packets from ipfw (via a divert rule) and then logs what you want before returning the untouched packed back to ipfw.
Much like what natd does, except without the natting.
I am sure the natd sources would be very useful in this case.
-D
-----Original Message-----
From: Maildrop [mailto:maildrop@qwest.net]
Sent: 15 October 2002 19:58
To: Krzysztof Zaraska; Mike Hoskins; Maildrop
Cc: freebsd-security@freebsd.org
Subject: RE: FW: monitor ALL connections to ALL ports
Yep, this is exactly what I am looking for. All packets, is a bit heavy on
my hard drive :P This only works with tcp though, is there any thing to
watch udp packets (like the first packet from a host on a certain port?) I
know udp might be tougher, since it is stateless.
> -----Original Message-----
> From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl]
> Sent: Tuesday, October 15, 2002 10:57 AM
> To: Mike Hoskins; Maildrop
> Cc: freebsd-security@freebsd.org
> Subject: Re: FW: monitor ALL connections to ALL ports
>
>
> On Mon, 14 Oct 2002 14:58:50 -0700 (PDT)
> Mike Hoskins <mike@adept.org> wrote:
>
> > > I put these rule in:
> > > ipfw add count log all from any to any
> >
> > Is this rule before the other allow rules in your chain? Since the rule
> > chain is parsed on a first-match basis, you'll either need this rule
> > before all others or you'll need to add log entires to each of your
> > other rules.
>
> There's another problem I can see here: this setup will generate a log
> entry on EVERY packet, what is clearly an overkill. I think it would be
> more useful to log only opening of the connection; this can be
> accomplished using for example a 'setup' keyword, e.g.:
>
> # Allow access to our WWW
> ${fwcmd} add pass log tcp from any to ${oip} 80 setup
>
>
> --
> // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
> // Prelude IDS: http://www.prelude-ids.org/
> // A dream will always triumph over reality, once it is given the chance.
> // -- Stanislaw Lem
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6304883FB11E347AD4958D3F14EC00AE89354>