Date: Tue, 26 Oct 2004 07:44:10 +0400 From: Sergey Zaharchenko <doublef@tele-kom.ru> To: Nikos Vassiliadis <nvass@teledome.gr> Cc: Spades <spades@galaxynet.org> Subject: Re: ipfw flooding in /var/log/ipfw.log Message-ID: <20041026034409.GB475@shark.localdomain> In-Reply-To: <200410251748.00620.nvass@teledome.gr> References: <057501c4ba7d$d65a7fb0$0300a8c0@astral> <20041025133443.GA6371@shark.localdomain> <064801c4ba99$169fcab0$0300a8c0@astral> <200410251748.00620.nvass@teledome.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
--IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 25, 2004 at 05:48:00PM +0300, Nikos Vassiliadis probably wrote: > On Monday 25 October 2004 16:46, Spades wrote: > > error: > > > > # ipfw add 900 allow log all from any to any setup > > ipfw: unknown argument ``setup'' >=20 > setup is available only for TCP connections. So > ipfw add allow log logamount 0 tcp from any to any setup > would be the correct one. But this is hardly what > you want to do, since it matches only the three-way > handshake TCP does. The rest of the stream will > be dropped if your last rule(65535) is the default one > (deny ip from any to any) >=20 > This will log every TCP connection setup, and let the rest > of the stream flow: > allow log logamount 0 tcp from any to any setup > allow tcp from any to any >=20 > BUT this is not a firewall setup. It's just a TCP connection > logger. You should do a little reading about TCP/IP, in order > to understand how to setup a firewall. >=20 \From the start of this thread: > I would like to monitor the connections (source IP + destination port) > of all connections to my server, can i use ipfw? I assumed that the OP was familiar with ipfw. BTW, Spades: If you `allow' any packets before that rules, they will not be matched by the rules suggested. In short, IPFW only processes a packet until it matches a allow/deny rule, and then takes action and stops processing. You should add the `log' keyword to any rule where you allow (or deny) a connection. If you use a `count log logamount 0 tcp from any to any setup' before any other rules, you should be logging all the TCP connections while you can later allow or deny in your ruleset. However, that wouldn't be too informative, as it wouldn't say if the connection was accepted. --=20 DoubleF Alexander Graham Bell is alive and well in New York, and still waiting for a dial tone. --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBfcgJwo7hT/9lVdwRAtr4AJ44DpfIF9j1ViBuCiX3iRnJ8HdI7gCggjoa MrcCvLpp4ZwS7IRI46kCGOo= =uSg9 -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041026034409.GB475>