Date: Mon, 12 Feb 2001 21:52:49 +0100 From: Francesco Casadei <fcasadei@inwind.it> To: "DINKEY,GENE (HP-Loveland,ex1)" <gene_dinkey@hp.com> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: Re: Logging IP address for all connections Message-ID: <20010212215249.A413@junior.kasby> In-Reply-To: <F341E03C8ED6D311805E00902761278C531578@xfc04.fc.hp.com>; from gene_dinkey@hp.com on Mon, Feb 12, 2001 at 07:40:36AM -0800 References: <F341E03C8ED6D311805E00902761278C531578@xfc04.fc.hp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 12, 2001 at 07:40:36AM -0800, DINKEY,GENE (HP-Loveland,ex1) wrote:
> I'm running FreeBSD 3.4-RELEASE and have recently been under attack by what
> appears to be a bored script kiddie. The attacks have come from several
> different locations (for some reason they keep trying to log on via anon
> FTP). I've been port scanned twice in a week (unfortunatly all I get in
> messages is the ICMP bandwidth limit messages).
>
> I would like to be able to log the ip address and port number of every ip
> address that connects to the machine from my external interface. If
> possible I would like to also be able to log that to a seperate file instead
> of to messages to prevent clutter.
>
> I've searched the archives and looked at ipfw(8), syslogd(8), and
> syslog.conf(5). It's all very confusing and a little help understanding
> what I need to do would be appreciated.
>
> The system has 2 NIC's and runs natd, it's a gateway for my cable modem. I
> only need to log on the NIC that's exposed to the world.
>
> Thank you in advance
>
> Gene Dinkey
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
> end of the original message
From ipfw(8) man page, 'EXAMPLES' section:
Per-flow queueing can be useful for a variety of purposes. A very simple
one is counting traffic:
ipfw add pipe 1 tcp from any to any
ipfw add pipe 1 udp from any to any
ipfw add pipe 1 ip from any to any
ipfw pipe 1 config mask all
The above set of rules will create queues (and collect statistics) for
all traffic. Because the pipes have no limitations, the only effect is
collecting statistics. Note that we need 3 rules, not just the last one,
because when ipfw tries to match IP packets it will not consider ports,
so we would not see connections on separate ports as different ones.
Francesco Casadei
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010212215249.A413>