Date: Thu, 29 Sep 2005 11:45:42 -0400 From: Bob Johnson <fbsdlists@gmail.com> To: freebsd-questions@freebsd.org Cc: bobo1009@mailtest2.eng.ufl.edu Subject: IPFW logging and dynamic rules Message-ID: <54db439905092908455157e6a3@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
In FreeBSD 5.4R, I tried an IPFW configuration that includes something
like this (plus a lot of other rules):
check-state
deny tcp from any to any established
allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
+ other rules that use keep-state
When I do this, _every_ ssh packet is logged, in both directions. To
get it to log ONLY the initial connection, I had to give up on using
dynamic rules for ssh and instead do something like:
allow log tcp from any to ${my-ip} dst-port 22 setup
allow tcp from any to ${my-ip} dst-port 22 established
allow tcp from ${my-ip} 22 to any established
check-state
deny tcp from any to any established
+ other rules that use keep-state
So now I have lost the per-host ssh limit rule I wanted to include,
and I am filtering packets on flags that can be spoofed
("established") rather than the actual dynamic state of the
connection. Am I wrong to believe there is an advantage to this?
Is there some way to get the first version to log only the initial
packet while still retaining the dynamic limit src-addr rule?
Thanks,
- Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54db439905092908455157e6a3>