Date: Wed, 16 Oct 2002 10:48:01 +0200 From: <Danny.Carroll@mail.ing.nl> To: <maildrop@qwest.net> Cc: <freebsd-security@freebsd.org> Subject: RE: FW: monitor ALL connections to ALL ports Message-ID: <C6304883FB11E347AD4958D3F14EC00AE89354@ing.com>
next in thread | raw e-mail | index | archive | help
Something else you could do, if you want to put the effort into it is to =
write a program that accepts all packets from ipfw (via a divert rule) =
and then logs what you want before returning the untouched packed back =
to ipfw.
Much like what natd does, except without the natting.
I am sure the natd sources would be very useful in this case.
-D
-----Original Message-----
From: Maildrop [mailto:maildrop@qwest.net]
Sent: 15 October 2002 19:58
To: Krzysztof Zaraska; Mike Hoskins; Maildrop
Cc: freebsd-security@freebsd.org
Subject: RE: FW: monitor ALL connections to ALL ports
Yep, this is exactly what I am looking for. All packets, is a bit heavy =
on
my hard drive :P This only works with tcp though, is there any thing to
watch udp packets (like the first packet from a host on a certain port?) =
I
know udp might be tougher, since it is stateless.
> -----Original Message-----
> From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl]
> Sent: Tuesday, October 15, 2002 10:57 AM
> To: Mike Hoskins; Maildrop
> Cc: freebsd-security@freebsd.org
> Subject: Re: FW: monitor ALL connections to ALL ports
>
>
> On Mon, 14 Oct 2002 14:58:50 -0700 (PDT)
> Mike Hoskins <mike@adept.org> wrote:
>
> > > I put these rule in:
> > > ipfw add count log all from any to any
> >
> > Is this rule before the other allow rules in your chain? Since the =
rule
> > chain is parsed on a first-match basis, you'll either need this rule
> > before all others or you'll need to add log entires to each of your
> > other rules.
>
> There's another problem I can see here: this setup will generate a log
> entry on EVERY packet, what is clearly an overkill. I think it would =
be
> more useful to log only opening of the connection; this can be
> accomplished using for example a 'setup' keyword, e.g.:
>
> # Allow access to our WWW
> ${fwcmd} add pass log tcp from any to ${oip} 80 setup
>
>
> --
> // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
> // Prelude IDS: http://www.prelude-ids.org/
> // A dream will always triumph over reality, once it is given the =
chance.
> // -- Stanislaw Lem
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-----------------------------------------------------------------=0A=
ATTENTION:=0A=
The information in this electronic mail message is private and=0A=
confidential, and only intended for the addressee. Should you=0A=
receive this message by mistake, you are hereby notified that=0A=
any disclosure, reproduction, distribution or use of this=0A=
message is strictly prohibited. Please inform the sender by=0A=
reply transmission and delete the message without copying or=0A=
opening it.=0A=
=0A=
Messages and attachments are scanned for all viruses known.=0A=
If this message contains password-protected attachments, the=0A=
files have NOT been scanned for viruses by the ING mail domain.=0A=
Always scan attachments before opening them.=0A=
-----------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6304883FB11E347AD4958D3F14EC00AE89354>