From owner-freebsd-questions Mon Feb 12 13:14:50 2001 Delivered-To: freebsd-questions@freebsd.org Received: from relay4.inwind.it (relay4.inwind.it [212.141.53.75]) by hub.freebsd.org (Postfix) with ESMTP id 2EF8D37B69C for ; Mon, 12 Feb 2001 13:14:41 -0800 (PST) Received: from [62.98.58.174] (62.98.58.174) by relay4.inwind.it (5.1.056) id 3A88018C00014FF6 for freebsd-questions@freebsd.org; Mon, 12 Feb 2001 22:14:41 +0100 Received: (qmail 479 invoked by uid 1001); 12 Feb 2001 20:52:49 -0000 Date: Mon, 12 Feb 2001 21:52:49 +0100 From: Francesco Casadei To: "DINKEY,GENE (HP-Loveland,ex1)" Cc: "'freebsd-questions@freebsd.org'" Subject: Re: Logging IP address for all connections Message-ID: <20010212215249.A413@junior.kasby> Mail-Followup-To: "DINKEY,GENE (HP-Loveland,ex1)" , "'freebsd-questions@freebsd.org'" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from gene_dinkey@hp.com on Mon, Feb 12, 2001 at 07:40:36AM -0800 X-Operating-System: FreeBSD 3.5-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Feb 12, 2001 at 07:40:36AM -0800, DINKEY,GENE (HP-Loveland,ex1) wrote: > I'm running FreeBSD 3.4-RELEASE and have recently been under attack by what > appears to be a bored script kiddie. The attacks have come from several > different locations (for some reason they keep trying to log on via anon > FTP). I've been port scanned twice in a week (unfortunatly all I get in > messages is the ICMP bandwidth limit messages). > > I would like to be able to log the ip address and port number of every ip > address that connects to the machine from my external interface. If > possible I would like to also be able to log that to a seperate file instead > of to messages to prevent clutter. > > I've searched the archives and looked at ipfw(8), syslogd(8), and > syslog.conf(5). It's all very confusing and a little help understanding > what I need to do would be appreciated. > > The system has 2 NIC's and runs natd, it's a gateway for my cable modem. I > only need to log on the NIC that's exposed to the world. > > Thank you in advance > > Gene Dinkey > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > end of the original message From ipfw(8) man page, 'EXAMPLES' section: Per-flow queueing can be useful for a variety of purposes. A very simple one is counting traffic: ipfw add pipe 1 tcp from any to any ipfw add pipe 1 udp from any to any ipfw add pipe 1 ip from any to any ipfw pipe 1 config mask all The above set of rules will create queues (and collect statistics) for all traffic. Because the pipes have no limitations, the only effect is collecting statistics. Note that we need 3 rules, not just the last one, because when ipfw tries to match IP packets it will not consider ports, so we would not see connections on separate ports as different ones. Francesco Casadei To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message