Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 26 Oct 2004 07:44:10 +0400
From:      Sergey Zaharchenko <doublef@tele-kom.ru>
To:        Nikos Vassiliadis <nvass@teledome.gr>
Cc:        Spades <spades@galaxynet.org>
Subject:   Re: ipfw flooding in /var/log/ipfw.log
Message-ID:  <20041026034409.GB475@shark.localdomain>
In-Reply-To: <200410251748.00620.nvass@teledome.gr>
References:  <057501c4ba7d$d65a7fb0$0300a8c0@astral> <20041025133443.GA6371@shark.localdomain> <064801c4ba99$169fcab0$0300a8c0@astral> <200410251748.00620.nvass@teledome.gr>

next in thread | previous in thread | raw e-mail | index | archive | help

--IrhDeMKUP4DT/M7F
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 25, 2004 at 05:48:00PM +0300,
 Nikos Vassiliadis probably wrote:
> On Monday 25 October 2004 16:46, Spades wrote:
> > error:
> >
> > # ipfw add 900 allow log all from any to any setup
> > ipfw: unknown argument ``setup''
>=20
> setup is available only for TCP connections. So
> ipfw add allow log logamount 0 tcp from any to any setup
> would be the correct one. But this is hardly what
> you want to do, since it matches only the three-way
> handshake TCP does. The rest of the stream will
> be dropped if your last rule(65535) is the default one
> (deny ip from any to any)
>=20
> This will log every TCP connection setup, and let the rest
> of the stream flow:
> allow log logamount 0 tcp from any to any setup
> allow tcp from any to any
>=20
> BUT this is not a firewall setup. It's just a TCP connection
> logger. You should do a little reading about TCP/IP, in order
> to understand how to setup a firewall.
>=20

\From the start of this thread:
> I would like to monitor the connections (source IP + destination port)
> of all connections to my server, can i use ipfw?

I assumed that the OP was familiar with ipfw.

BTW, Spades: If you `allow' any packets before that rules, they will not
be matched by the rules suggested. In short, IPFW only processes a
packet until it matches a allow/deny rule, and then takes action and
stops processing. You should add the `log' keyword to any rule where you
allow (or deny) a connection.

If you use a `count log logamount 0 tcp from any to any setup' before
any other rules, you should be logging all the TCP connections while you
can later allow or deny in your ruleset. However, that wouldn't be too
informative, as it wouldn't say if the connection was accepted.

--=20
DoubleF
Alexander Graham Bell is alive and well in New York, and still waiting
for a dial tone.

--IrhDeMKUP4DT/M7F
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFBfcgJwo7hT/9lVdwRAtr4AJ44DpfIF9j1ViBuCiX3iRnJ8HdI7gCggjoa
MrcCvLpp4ZwS7IRI46kCGOo=
=uSg9
-----END PGP SIGNATURE-----

--IrhDeMKUP4DT/M7F--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041026034409.GB475>