From owner-freebsd-security Tue Jul 25 18:53:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id F143337BF29 for ; Tue, 25 Jul 2000 18:53:13 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726015311.NDDH23923.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 18:53:11 -0700 Message-ID: <397E4487.A868B713@math.missouri.edu> Date: Tue, 25 Jul 2000 20:53:11 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> Content-Type: multipart/mixed; boundary="------------7A8C7BFFCB709DB3DF35EDB3" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------7A8C7BFFCB709DB3DF35EDB3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Montgomery-Smith wrote: > > I would like to set up a firewall with dynamic rules to allow > ssh from the outside. I would like these incoming ssh's logged. > So I tried something like: > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > OK, does everyone else agree with me that if an ipfw rule is logged and keep-state, then one only needs to log when the rule is established - not every time a packet passes through it? If so, I'll send-pr the following patch: --------------7A8C7BFFCB709DB3DF35EDB3 Content-Type: text/plain; charset=us-ascii; name="diff.ip_fw.c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="diff.ip_fw.c.patch" --- ../src/sys/netinet/ip_fw.c Sat Jul 15 19:25:45 2000 +++ sys/netinet/ip_fw.c Tue Jul 25 20:39:38 2000 @@ -1215,8 +1215,13 @@ f->timestamp = time_second; /* Log to console if desired */ +#if STATEFUL /* stateful ipfw */ + if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && q==NULL) + ipfw_report(f, ip, rif, oif); +#else if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose) ipfw_report(f, ip, rif, oif); +#endif /* Take appropriate action */ switch (f->fw_flg & IP_FW_F_COMMAND) { --------------7A8C7BFFCB709DB3DF35EDB3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message