Date: Sun, 5 May 1996 20:02:22 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: security@freebsd.org Subject: ipfw logging in /etc/security Message-ID: <199605060102.UAA02446@zen.nash.org>
next in thread | raw e-mail | index | archive | help
I've added a couple of lines (ok, really I stole them from the setuid
diff section) to my /etc/security that show changes in ipfw denied
packet counts. Perhaps if someone who has commit privileges thinks
this is worthwhile it could be added into the standard distribution.
[ Added lines are at end of message ]
An example /etc/security mail may look like:
checking setuid files and devices:
checking for uids of 0:
root 0
denied packets:
> 5700 4 176 deny tcp from any to 163.49.131.129 137-139
I can think of one point of contention: The output is generated via
diff, but I'm stripping out everything but the current values. Do we
want to compare them side by side to the packet/byte counts from the
previous day?
On a side note, ipfw does not allow resetting of individual packet
counters. Would a modification to ipfw that allowed syntax like:
ipfw zero 5700
or
ipfw zero deny tcp from any to 163.49.131.129 137-139
be desirable? I am willing to submit the changes if there is backing
for this.
Alex
(This was tested under 2.1-STABLE, but I think the output of RELEASE is
similar enough that it should work there too.)
# show denied packets
ipfw -a l | grep deny > $TMP
if cmp $LOG/ipfw.today $TMP >/dev/null; then :; else
echo ""
echo ""
echo "denied packets:"
diff -b $LOG/ipfw.today $TMP | egrep "^>"
mv $LOG/ipfw.today $LOG/ipfw.yesterday
mv $TMP $LOG/ipfw.today
fi
rm -f $TMP
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605060102.UAA02446>