Date: Mon, 14 Oct 2002 15:16:26 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Maildrop <maildrop@qwest.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: monitor ALL connections to ALL ports Message-ID: <20021014221626.GC21823@blossom.cjclark.org> In-Reply-To: <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net> References: <20021014205437.GA21823@blossom.cjclark.org> <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 14, 2002 at 05:09:43PM -0500, Maildrop wrote:
> >On Mon, Oct 14, 2002 at 02:31:05PM -0500, Maildrop wrote:
> >>
> >> I put these rule in:
> >>
> >> ipfw add count log all from any to any
> >>
> >> I am getting messages in my log (/var/log/all.log) that appears like
> this:
> >> Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161
> >> from 192.168.17.1:1166
> >
> >That's a log_in_vain message, not ipfw(8).
> >
> >> Which is exactly, what I want, but there is a couple isses:
> >>
> >> 1) It only logs "failed" connects. If I try to `telnet localhost 55`, it
> >> will log that, but if I do a `telnet locahost 80` (where web server is
> >> running) the connection is valid and doesn't log it.
> >
> >Right, that's how log_in_vain works.
> >
>
> (from tcp(4))
>
> tcp.log_in_vain Log any connection attempts to ports where there is
> not a socket accepting connections. The value of 1
> limits the logging to SYN (connection establishment)
> packets only. That of 2 results in any TCP packets
> to
> closed ports being logged. Any value unlisted above
> disables the logging (default is 0, i.e., the
> logging
> is disabled).
>
> '1' is limited to connection established (valid connections)
No, it's limited to SYN's at _closed_ ports. Read the first sentence
again, "Log any connection attempts to ports where there is not a
socket accepting connections."
> and '2' is
> limited to connection failed... how do I get both failed AND established
> from log_in_vain? I want to log all connections, regardless if they failed
> or successed, regardless if they have a daemon running on that port or not.
log_in_vain doesn't do connections to listening ports. That's the job
of what ever is listening.
> Currently, they are both set as '1':
>
> net.inet.tcp.log_in_vain: 1
> net.inet.udp.log_in_vain: 1
>
> >> 2) How do I setup Syslog for this? ipfw man page says it logs to
> >> LOG_SECURITY facility. I want to log all connections (failed or not),
> into
> >> one file..
> >>
> >> This is what I currently have in my syslogd.conf file (the log above I am
> >> pulling from all.log):
> >>
> >> security.* /var/log/security
> >> log.security /var/log/ipfw.log
> >>
> >> Both these files are empty :( I restarted syslogd.
> >
> >The second one should give you an error. The first one should catch
> >ipfw(8) logging. You did rebuild your kernel with IPFIREWALL and
> >IPFIREWALL_VERBOSE, right?
[snip]
> Something weird that I found:
>
> hydra# ipmon -D /var/log/ipfw.log
> /dev/ipl: open: Device not configured
>
> hydra# file /dev/ipl
> /dev/ipl: character special (79/0)
>
> hydra# grep ipmon /etc/rc.conf
> ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or
> ipnat
> ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
> ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
>
> Is ipmon part of ipfw?
No, it's part of IPFilter.
Here's your problem,
> hydra# ipfw list
> 00050 divert 8668 ip from any to any via dc1
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 65000 allow ip from any to any
> 65100 count log logamount 100 ip from any to any
> 65535 deny ip from any to any
How is anything ever going to reach rule 65100? 65000 passes
everything.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021014221626.GC21823>