Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jul 2000 11:34:10 +1000
From:      Andrew Johns <johnsa@kpi.com.au>
To:        Stephen Montgomery-Smith <stephen@math.missouri.edu>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: log with dynamic firewall rules
Message-ID:  <397E4012.A1A93351@kpi.com.au>
References:  <397E1E25.FE8731E7@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Stephen Montgomery-Smith wrote:
> 
> I would like to set up a firewall with dynamic rules to allow
> ssh from the outside.  I would like these incoming ssh's logged.
> So I tried something like:
> 
> ipfw add pass log tcp from any to my.computer.net 22 keep-state setup
> 
> Now it would make sense to me that this would log the initial setup,
> but that the following times that the then created dynamic rule is
> invoked would not be logged.
> 
> However that is not the case.  All the tcp packets between the
> established conenction are logged.
> 
> I know that I could have some rules:
> 
> add pass tcp from any to any in via ${oif} established
> add pass all from any to any frag
> 
> before this one, but doesn't that defeat part of the point of
> dynamic rules?
> 

In a word, no.

All packets must pass through the ruleset before being either passed
or dropped.

'Dynamic' rules build on the base rules by keeping a table of which
connections are presently in use, so that mapping can occur for
delivery of the packet back to the correct socket/process, **once it
has been passed** by the rule set.  (This is my interpretation of it
from personal experience - someone please correct me if I'm totally
off the rails on this.)

Therefore, any logging before the packet is passed/dropped will still
occur as per usual, which is how I'd want to have it anyway.

Regards
---------------------\=-_    _-=/
Andrew Johns BSc.     \  \==/  /
Principal Consultant   \      /
KPI Logistics Pty Ltd   \    /
mailto:johnsa@kpi.com.au \ +/
http://www.kpi.com.au     \/
                            How do I set this laser printer to stun?
My favourite boot labels:
                          F1 Real OS     -> http://www.FreeBSD.org
                          F2 Pretend OS  -> http://www.microsoft.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397E4012.A1A93351>