Date: Wed, 16 Oct 2002 16:28:50 +0100 (BST) From: Jess Kitchen <jk@burstfire.net> To: freebsd-security@FreeBSD.ORG Subject: Re: FW: monitor ALL connections to ALL ports Message-ID: <20021016162219.V62311-100000@platinum.daweb.net> In-Reply-To: <NGBBIILBAKIFGHHCHOHPOEODFJAA.maildrop@qwest.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 14 Oct 2002, Maildrop wrote: > I put these rule in: > > ipfw add count log all from any to any > > I am getting messages in my log (/var/log/all.log) that appears like this: > Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161 > from 192.168.17.1:1166 Hi, This doesn't look like ipfw logging output to me, in fact it seems indicative of net.inet.tcp.log_in_vain You may also have more mileage with ipfw if you tried something like this; ipfw add 500 pass log tcp from any to any setup ipfw add 600 pass tcp from any to any established This will log initial connection setups but not ongoing traffic, for example an ftp session would hose your logs quite a bit. Additionally the count feature is always available to you, try ipfw show <rulenum> Oh and you need to put count/pass rules before an 'allow any to any' type rule otherwise it won't get caught because the processing has already finished on the traffic. May be why you see no logging output currently. Cheers, J. -- Jess Kitchen <jk@burstfire.net> http://www.burstfire.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021016162219.V62311-100000>