From owner-freebsd-security Thu Dec 14 20:44: 4 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 20:44:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id EBA0C37B400 for ; Thu, 14 Dec 2000 20:43:59 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id PAA19298; Fri, 15 Dec 2000 15:43:48 +1100 (EST) From: Darren Reed Message-Id: <200012150443.PAA19298@caligula.anu.edu.au> Subject: Re: Extended ipfw Logging To: Gerhard.Sittig@gmx.net (Gerhard Sittig) Date: Fri, 15 Dec 2000 15:43:48 +1100 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20001214205854.J253@speedy.gsinet> from "Gerhard Sittig" at Dec 14, 2000 08:58:54 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: avalon@caligula.anu.edu.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Gerhard Sittig, sie said: [...] > > WHAT THE PATCHES DO > > > > There are new fields for all packets. Data from the IP header, > > the IP ID, TTL, and extra fragmentation information is printed > > for all types of datagrams. TCP packets include additional > > information on sequence number, acknowledgement number, and > > flags. > > Why not have the "verbosity" written in the matching rule? One > surely doesn't want to bloat *all* logged entries (not even log > all denials, and maybe log some accepted packets too). Expand > the filter description for the log verbosity level and reference > this field when the match is meant to log something. > > I'm not saying that ipf(4) is the cure for everything. But > looking at "man 5 ipf" here's what I really like about it and you > might, too: > > log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . > > Although the above "loglevel" is different from your verbosity > idea (it's a syslog facility.level pair) you might want to have > the best of both worlds in ipfw(4) and code syslog levels as well > as your verbosity controlling what packet characteristics to > print out and where to do so? :) Well, I should point out that the output you see for ipfilter logs is generated (usually) by ipmon. If you changed that and that alone, you could have it display every field in the TCP/IP headers. Rather than generating log information with "ipmon -Ds" or "ipmon -D /var/log/ipflog" is to do "cat /dev/ipl > /var/log/ipflog" and then generate text from the binary with "ipmon -stf /var/log/ipflog". Hmmm....I should add a standard option to ipmon which saves the binary log data to one file and does something else with the text. That way you get the "summary" of the important data as text via syslog or some other means as well as the complete details in the binary file. Getting back to what you are discussing here, the problem I have with variable verbosity is the text then becomes irregular for the purpose of parsing and analysis. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message