Date: Mon, 8 Dec 1997 01:15:31 -0800 (PST) From: Jan Koum <jkb@best.com> To: Nate Williams <nate@mt.sri.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw WAS: Re: [linux-security] New Program: Abacus Sentry Message-ID: <Pine.BSF.3.96.971208010301.24278A-100000@shell6.ba.best.com> In-Reply-To: <199712080704.AAA10395@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, Talking about ipfw. I have a rather stupid questions. Say I am host a.b.c.d and I am running ipfw. I am denying a lot of stuff and it is also logging. Now, I don't have limit on the logging set in the kernel, which means that if I get a lot of denied connections logged, my system message buffer doesn't have enough room to log it by default. The question is: how do I increase it? The space for system message buffer that is. So when I do 'dmesg', I don't see last lines of ipfw logging. Actually, the above can also be considered security problem since people can't see if they were attacked two days or weeks ago. Too much stuff gets logged in and gets pushed from the dmesg buffer. It would be really nice to be able to log ipfw to hard drive with the date/time of packets being denied. Man page for ipfw SEE ALSO reffers to syslog(8), but: % grep syslog /usr/src/sbin/ipfw/ipfw.c % -- Yan P.S. Any clues on how to log ipfw somewhere other then kernel buffer will be great. :) On Mon, 8 Dec 1997, Nate Williams wrote: >> In muc.lists.freebsd.security, you wrote: >> >I though someone could be interested in this program, a port scanner >> >which seems more featureful than strobe (a port scanner in the >> >FreeBSD ports). >> >> It's not a port scanner. It's a bad port-scan detector; it's designed to >> tell you when things like strobe (excellent program) are run against your >> host. > >> It also doesn't work. In general, you need low-level network access >> (packet capture) to really detect port-scans.... > >You mean something like IPFW in 'paranoid' mode? *grin* > >I've gotten probed a couple of times, and even on ports that have active >processes running on them. IPFW is *great* for that sort of thing, >even if you aren't paranoid. (But you should be nowadays...) > > > > >Nate >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971208010301.24278A-100000>