From owner-freebsd-security Tue Jul 25 19:11:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 5F12037BD07 for ; Tue, 25 Jul 2000 19:11:30 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726021129.OAMG23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 19:11:29 -0700 Message-ID: <397E48D1.DEC661C5@math.missouri.edu> Date: Tue, 25 Jul 2000 21:11:29 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Johns Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, I'm not really understanding you here: suppose I have a rule like: ipfw add pass log tcp from any to my.computer.net 22 keep-state lets say it is rule 600. Now someone ssh's from the outside to my.computer. So on my log file I see: ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 But actually I get a lot more than this - I get a whole bunch of ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 and ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0 also in my log file. Indeed, as the ssh conenction continues, I get more and more of these, filling up my log file, and really telling me nothing new (especially since entries in the log file are not dated). Now I could put a logamount option in my rule. This stops all this logs. But then when someone else ssh's into my computer, that info never gets logged. Now it seems to me that what should happen is this: When someone ssh's into my.computer I should see in the log file ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 A dynamic rule is established, and it would seem to me that all the other packets processed by this dynamic rule should NOT create log entries. Now of course if someone else ssh's into my.computer, hence establishing a new dynamic rule, then by all means that should be logged. Basically a packet passing through a dynamic rule should never create a log entry. In the rare instance that one actually wants this, maybe a new rule word log-all could be created. Andrew Johns wrote: > > Stephen Montgomery-Smith wrote: > > > > I would like to set up a firewall with dynamic rules to allow > > ssh from the outside. I would like these incoming ssh's logged. > > So I tried something like: > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > Now it would make sense to me that this would log the initial setup, > > but that the following times that the then created dynamic rule is > > invoked would not be logged. > > > > However that is not the case. All the tcp packets between the > > established conenction are logged. > > > > I know that I could have some rules: > > > > add pass tcp from any to any in via ${oif} established > > add pass all from any to any frag > > > > before this one, but doesn't that defeat part of the point of > > dynamic rules? > > > > In a word, no. > > All packets must pass through the ruleset before being either passed > or dropped. > > 'Dynamic' rules build on the base rules by keeping a table of which > connections are presently in use, so that mapping can occur for > delivery of the packet back to the correct socket/process, **once it > has been passed** by the rule set. (This is my interpretation of it > from personal experience - someone please correct me if I'm totally > off the rails on this.) > > Therefore, any logging before the packet is passed/dropped will still > occur as per usual, which is how I'd want to have it anyway. > > with "unsubscribe freebsd-security" in the body of the message -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message