Date: Tue, 25 Jul 2000 21:11:29 -0500 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: Andrew Johns <johnsa@kpi.com.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <397E48D1.DEC661C5@math.missouri.edu> References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
OK, I'm not really understanding you here:
suppose I have a rule like:
ipfw add pass log tcp from any to my.computer.net 22 keep-state
lets say it is rule 600.
Now someone ssh's from the outside to my.computer. So on my log file
I see:
ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
But actually I get a lot more than this - I get a whole bunch of
ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
and
ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0
also in my log file. Indeed, as the ssh conenction continues, I
get more and more of these, filling up my log file, and really
telling me nothing new (especially since entries in the log file
are not dated).
Now I could put a logamount option in my rule. This stops all
this logs. But then when someone else ssh's into my computer,
that info never gets logged.
Now it seems to me that what should happen is this: When
someone ssh's into my.computer I should see in the log file
ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
A dynamic rule is established, and it would seem to me that all
the other packets processed by this dynamic rule should NOT create
log entries.
Now of course if someone else ssh's into my.computer, hence establishing
a new dynamic rule, then by all means that should be logged.
Basically a packet passing through a dynamic rule should never create
a log entry. In the rare instance that one actually wants this,
maybe a new rule word log-all could be created.
Andrew Johns wrote:
>
> Stephen Montgomery-Smith wrote:
> >
> > I would like to set up a firewall with dynamic rules to allow
> > ssh from the outside. I would like these incoming ssh's logged.
> > So I tried something like:
> >
> > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup
> >
> > Now it would make sense to me that this would log the initial setup,
> > but that the following times that the then created dynamic rule is
> > invoked would not be logged.
> >
> > However that is not the case. All the tcp packets between the
> > established conenction are logged.
> >
> > I know that I could have some rules:
> >
> > add pass tcp from any to any in via ${oif} established
> > add pass all from any to any frag
> >
> > before this one, but doesn't that defeat part of the point of
> > dynamic rules?
> >
>
> In a word, no.
>
> All packets must pass through the ruleset before being either passed
> or dropped.
>
> 'Dynamic' rules build on the base rules by keeping a table of which
> connections are presently in use, so that mapping can occur for
> delivery of the packet back to the correct socket/process, **once it
> has been passed** by the rule set. (This is my interpretation of it
> from personal experience - someone please correct me if I'm totally
> off the rails on this.)
>
> Therefore, any logging before the packet is passed/dropped will still
> occur as per usual, which is how I'd want to have it anyway.
>
> with "unsubscribe freebsd-security" in the body of the message
--
Stephen Montgomery-Smith
Department of Mathematics, University of Missouri, Columbia, MO 65211
Phone 573-882-4540, fax 573-882-1869
http://www.math.missouri.edu/~stephen stephen@math.missouri.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397E48D1.DEC661C5>