Date: Wed, 26 Jul 2000 12:39:44 +1000 (Australia/NSW) From: Darren Reed <avalon@coombs.anu.edu.au> To: stephen@math.missouri.edu (Stephen Montgomery-Smith) Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <200007260239.MAA02404@cairo.anu.edu.au> In-Reply-To: <397E4487.A868B713@math.missouri.edu> from "Stephen Montgomery-Smith" at Jul 25, 2000 08:53:11 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Stephen Montgomery-Smith, sie said: > > This is a multi-part message in MIME format. > --------------7A8C7BFFCB709DB3DF35EDB3 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > Stephen Montgomery-Smith wrote: > > > > I would like to set up a firewall with dynamic rules to allow > > ssh from the outside. I would like these incoming ssh's logged. > > So I tried something like: > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > OK, does everyone else agree with me that if an ipfw rule is logged > and keep-state, then one only needs to log when the rule is established - > not every time a packet passes through it? [...] ah, you've stumbled across that one :) pass in log first ... keep state is what you would do in IP Filter :-) Remember, that there may be some situations where you want to log them all. On top of that, you can just leave out "log" from the filter rule and use the state log instead. You know, in half the time you've spent toying with ipfw you could have had ipfilter working and not had to patch the source O:-) It seems the "statefulness" of ipfw is much more complex than it should be. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007260239.MAA02404>