Date: Sat, 19 Jun 1999 10:21:34 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: jwyatt@RWSystems.net (James Wyatt) Cc: synk@swcp.com, freebsd-security@FreeBSD.ORG Subject: Re: ipf howto, tada Message-ID: <199906190021.KAA26497@cheops.anu.edu.au> In-Reply-To: <Pine.BSF.4.05.9906180939200.6084-100000@kasie.rwsystems.net> from "James Wyatt" at Jun 18, 99 09:54:39 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from James Wyatt, sie said: > > On Fri, 18 Jun 1999, Darren Reed wrote: [...] > > > pass out quick proto tcp from 200.200.200.1/32 to any keep state > > > > This can be in or out...essentially when the packet first crosses your > > perimeter. If it is a locally made connection going out then the above > > is correct. If it is from another host on your LAN going through your > > IP Filter firewall, then it should be "pass in" on the LAN interface. > > I've been considering the value of a 'firewall' interface that could track > how long a TCP session was open. If you get in on anything but ssh/rsh and > telnet for more than 5 min, it would trip... I've also wondered if it's > keeping state, if it could feed start/end time when the session closed? If you run ipmon as with the "-a" command line option, it will display all log information generated by IP Filter. This includes changes to the state table, changes to the NAT table and of course packets logged according to normal packet filtring rules. For example, an NTP query shows up like this: 23/02/1999 00:00:36.340843 STATE:NEW 1.2.3.4,123 -> 5.6.7.8,123 PR udp 23/02/1999 00:01:36.374508 STATE:CLOSE 1.2.3.4,123 -> 5.6.7.8,123 PR udp Pkts 2 Bytes 152 And a NAT'd scp connection as follows: 28/02/1999 23:46:16.990175 @3 NAT:MAP 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22] 28/02/1999 23:47:03.060326 @3 NAT:EXPIRE 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22] Pkts 381 Bytes 117234 Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906190021.KAA26497>