Date: Wed, 26 Jul 2000 12:23:53 +1000 From: Andrew Johns <johnsa@kpi.com.au> To: Stephen Montgomery-Smith <stephen@math.missouri.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <397E4BB9.8D9B6A39@kpi.com.au> References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Why haven't you got something such as:
allow all from any to any established
**PRIOR** to the accept rule - that is what the established keyword is
for, I thought.
Stephen Montgomery-Smith wrote:
>
> OK, I'm not really understanding you here:
>
> suppose I have a rule like:
> ipfw add pass log tcp from any to my.computer.net 22 keep-state
> lets say it is rule 600.
>
> Now someone ssh's from the outside to my.computer. So on my log file
> I see:
> ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
>
> But actually I get a lot more than this - I get a whole bunch of
> ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
> and
> ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0
> also in my log file. Indeed, as the ssh conenction continues, I
> get more and more of these, filling up my log file, and really
> telling me nothing new (especially since entries in the log file
> are not dated).
>
> Now I could put a logamount option in my rule. This stops all
> this logs. But then when someone else ssh's into my computer,
> that info never gets logged.
>
> Now it seems to me that what should happen is this: When
> someone ssh's into my.computer I should see in the log file
> ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0
>
> A dynamic rule is established, and it would seem to me that all
> the other packets processed by this dynamic rule should NOT create
> log entries.
>
> Now of course if someone else ssh's into my.computer, hence establishing
> a new dynamic rule, then by all means that should be logged.
>
> Basically a packet passing through a dynamic rule should never create
> a log entry. In the rare instance that one actually wants this,
> maybe a new rule word log-all could be created.
>
> Andrew Johns wrote:
> >
> > Stephen Montgomery-Smith wrote:
> > >
> > > I would like to set up a firewall with dynamic rules to allow
> > > ssh from the outside. I would like these incoming ssh's logged.
> > > So I tried something like:
> > >
> > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup
> > >
> > > Now it would make sense to me that this would log the initial setup,
> > > but that the following times that the then created dynamic rule is
> > > invoked would not be logged.
> > >
> > > However that is not the case. All the tcp packets between the
> > > established conenction are logged.
> > >
> > > I know that I could have some rules:
> > >
> > > add pass tcp from any to any in via ${oif} established
> > > add pass all from any to any frag
> > >
> > > before this one, but doesn't that defeat part of the point of
> > > dynamic rules?
> > >
> >
> > In a word, no.
> >
> > All packets must pass through the ruleset before being either passed
> > or dropped.
> >
> > 'Dynamic' rules build on the base rules by keeping a table of which
> > connections are presently in use, so that mapping can occur for
> > delivery of the packet back to the correct socket/process, **once it
> > has been passed** by the rule set. (This is my interpretation of it
> > from personal experience - someone please correct me if I'm totally
> > off the rails on this.)
> >
> > Therefore, any logging before the packet is passed/dropped will still
> > occur as per usual, which is how I'd want to have it anyway.
> >
> > with "unsubscribe freebsd-security" in the body of the message
>
> --
> Stephen Montgomery-Smith
> Department of Mathematics, University of Missouri, Columbia, MO 65211
> Phone 573-882-4540, fax 573-882-1869
> http://www.math.missouri.edu/~stephen stephen@math.missouri.edu
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
---------------------\=-_ _-=/
Andrew Johns BSc. \ \==/ /
Principal Consultant \ /
KPI Logistics Pty Ltd \ /
mailto:johnsa@kpi.com.au \ +/
http://www.kpi.com.au \/
How do I set this laser printer to stun?
My favourite boot labels:
F1 Real OS -> http://www.FreeBSD.org
F2 Pretend OS -> http://www.microsoft.com
********************************************************************
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. When addressed to our
clients any opinions or advice contained in this email are subject
to the terms and conditions expressed in the governing KPI client
engagement letter.
********************************************************************
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397E4BB9.8D9B6A39>