From owner-freebsd-security  Tue Jul 25 19:18:46 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 14FDA37BD7B
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 19:18:43 -0700 (PDT)
	(envelope-from bright@fw.wintelcom.net)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e6Q2IWJ29517;
	Tue, 25 Jul 2000 19:18:32 -0700 (PDT)
Date: Tue, 25 Jul 2000 19:18:32 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: Stephen Montgomery-Smith <stephen@math.missouri.edu>
Cc: Andrew Johns <johnsa@kpi.com.au>, freebsd-security@FreeBSD.ORG
Subject: Re: log with dynamic firewall rules
Message-ID: <20000725191832.H17222@fw.wintelcom.net>
References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <397E48D1.DEC661C5@math.missouri.edu>; from stephen@math.missouri.edu on Tue, Jul 25, 2000 at 09:11:29PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Stephen Montgomery-Smith <stephen@math.missouri.edu> [000725 19:14] wrote:
> OK, I'm not really understanding you here:
> 
> suppose I have a rule like:
> ipfw add pass log tcp from any to my.computer.net 22 keep-state
> lets say it is rule 600.
> 
> Now someone ssh's from the outside to my.computer.  So on my log file
> I see:
> ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
> 
> But actually I get a lot more than this - I get a whole bunch of
> ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
> and
> ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0
> also in my log file.  Indeed, as the ssh conenction continues, I
> get more and more of these, filling up my log file, and really 
> telling me nothing new (especially since entries in the log file
> are not dated).

You probably want to use the 'setup' keyword to capture the initial
connection.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message