From owner-freebsd-security Wed Oct 16 2: 9:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AC1337B404 for ; Wed, 16 Oct 2002 02:09:54 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 888D643E88 for ; Wed, 16 Oct 2002 02:09:52 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: FW: monitor ALL connections to ALL ports Date: Wed, 16 Oct 2002 10:48:01 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FW: monitor ALL connections to ALL ports Importance: normal thread-index: AcJ0eFEqWWMbdFj7QsypL8LBG8lwSwAeAcQQ From: To: Cc: X-OriginalArrivalTime: 16 Oct 2002 08:48:01.0923 (UTC) FILETIME=[BC424D30:01C274F0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Something else you could do, if you want to put the effort into it is to = write a program that accepts all packets from ipfw (via a divert rule) = and then logs what you want before returning the untouched packed back = to ipfw. Much like what natd does, except without the natting. I am sure the natd sources would be very useful in this case. -D -----Original Message----- From: Maildrop [mailto:maildrop@qwest.net] Sent: 15 October 2002 19:58 To: Krzysztof Zaraska; Mike Hoskins; Maildrop Cc: freebsd-security@freebsd.org Subject: RE: FW: monitor ALL connections to ALL ports Yep, this is exactly what I am looking for. All packets, is a bit heavy = on my hard drive :P This only works with tcp though, is there any thing to watch udp packets (like the first packet from a host on a certain port?) = I know udp might be tougher, since it is stateless. > -----Original Message----- > From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl] > Sent: Tuesday, October 15, 2002 10:57 AM > To: Mike Hoskins; Maildrop > Cc: freebsd-security@freebsd.org > Subject: Re: FW: monitor ALL connections to ALL ports > > > On Mon, 14 Oct 2002 14:58:50 -0700 (PDT) > Mike Hoskins wrote: > > > > I put these rule in: > > > ipfw add count log all from any to any > > > > Is this rule before the other allow rules in your chain? Since the = rule > > chain is parsed on a first-match basis, you'll either need this rule > > before all others or you'll need to add log entires to each of your > > other rules. > > There's another problem I can see here: this setup will generate a log > entry on EVERY packet, what is clearly an overkill. I think it would = be > more useful to log only opening of the connection; this can be > accomplished using for example a 'setup' keyword, e.g.: > > # Allow access to our WWW > ${fwcmd} add pass log tcp from any to ${oip} 80 setup > > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the = chance. > // -- Stanislaw Lem > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message