Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Jul 2000 21:43:19 -0700
From:      "Dan O'Connor" <dan@mostgraveconcern.com>
To:        "Brian D. Moffet" <brianm@moffetimages.com>, <freebsd-questions@FreeBSD.ORG>
Subject:   Re: ipfw
Message-ID:  <014e01bfe897$0aa73820$0200000a@danco>
next in thread | raw e-mail | index | archive | help 
>How do I configure ipfw to log all connections to a NIC on my machine?
>So I want to log the connections from the outside NIC to my machine.
>
>I don't want all packets, just the connections.   I have


The best way I know is to create logging 'setup' rules for all TCP services
that you want to monitor and tell IPFW to log them.

For example, if you want to log all connections to your web server from the
outside world and log secure shell connections from both the outside world
and from your inside network, you would add rules like this (in
/etc/rc.firewall):

    ${fwcmd} add pass tcp from any to any established
    ${fwcmd} add pass log tcp from any to any 80 in via ${oif} setup
    ${fwcmd} add pass log tcp from any to ${onet}:${omask} 22 in via ${oif}
setup
    ${fwcmd} add pass log tcp from any to ${inet}:${imask} 22 in via ${iif}
setup

The 'setup' filters on the ACK bit not being set (only the first packet of a
TCP connection). The first rule allows already setup connections (ACK bit
set) to proceed with a minimum of overhead.

Note that this method only works for TCP connections, not UDP or ICMP since
these do not use an ACK bit. You either have to log all packets or none...


>options IPFIREWALL              #firewall
>options         IPFIREWALL_VERBOSE      #print information about
> # dropped packets
>options         IPFIREWALL_FORWARD      #enable transparent proxy support
>options "IPFIREWALL_VERBOSE_LIMIT=10" #limit verbosity
>options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
>options IPDIVERT #divert sockets

I'd comment out the IPFIREWALL_VERBOSE_LIMIT or set it to something much
higher, or you're only going to see the first 10 log entries for each rule
you have logging turned on.

I'd also recommend not using the IPFIREWALL_DEFAULT_TO_ACCEPT option, and
take the time to set up the simple section of /etc/rc.firewall to allow only
the services you want...

Hope this helps,

--Dan

--
Dan O'Connor
On Matters of Most Grave Concern
http://www.mostgraveconcern.com




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014e01bfe897$0aa73820$0200000a>