From owner-freebsd-questions@FreeBSD.ORG Tue Oct 26 03:45:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26B0316A4CE for ; Tue, 26 Oct 2004 03:45:26 +0000 (GMT) Received: from mx.tele-kom.ru (mx.tele-kom.ru [213.80.148.6]) by mx1.FreeBSD.org (Postfix) with SMTP id D4C3143D1F for ; Tue, 26 Oct 2004 03:45:24 +0000 (GMT) (envelope-from doublef@tele-kom.ru) Received: (qmail 42262 invoked by uid 555); 26 Oct 2004 03:48:45 -0000 Received: from shark (213.80.149.213) by t-k.ru with TeleMail/2 id 1098762522-41595 for freebsd-questions@freebsd.org; Tue, 26 Oct 07:48:42 2004 +0400 (MSD) Received: by shark (Postfix, from userid 1000) id E3B393B0; Tue, 26 Oct 2004 07:44:10 +0400 (MSD) Date: Tue, 26 Oct 2004 07:44:10 +0400 From: Sergey Zaharchenko To: Nikos Vassiliadis Message-ID: <20041026034409.GB475@shark.localdomain> Mail-Followup-To: Sergey Zaharchenko , Nikos Vassiliadis , freebsd-questions@freebsd.org, Spades References: <057501c4ba7d$d65a7fb0$0300a8c0@astral> <20041025133443.GA6371@shark.localdomain> <064801c4ba99$169fcab0$0300a8c0@astral> <200410251748.00620.nvass@teledome.gr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F" Content-Disposition: inline In-Reply-To: <200410251748.00620.nvass@teledome.gr> User-Agent: Mutt/1.4.2.1i X-Listening-To: /Queen/Bohemian_rhapsody cc: freebsd-questions@freebsd.org cc: Spades Subject: Re: ipfw flooding in /var/log/ipfw.log X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 03:45:26 -0000 --IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 25, 2004 at 05:48:00PM +0300, Nikos Vassiliadis probably wrote: > On Monday 25 October 2004 16:46, Spades wrote: > > error: > > > > # ipfw add 900 allow log all from any to any setup > > ipfw: unknown argument ``setup'' >=20 > setup is available only for TCP connections. So > ipfw add allow log logamount 0 tcp from any to any setup > would be the correct one. But this is hardly what > you want to do, since it matches only the three-way > handshake TCP does. The rest of the stream will > be dropped if your last rule(65535) is the default one > (deny ip from any to any) >=20 > This will log every TCP connection setup, and let the rest > of the stream flow: > allow log logamount 0 tcp from any to any setup > allow tcp from any to any >=20 > BUT this is not a firewall setup. It's just a TCP connection > logger. You should do a little reading about TCP/IP, in order > to understand how to setup a firewall. >=20 \From the start of this thread: > I would like to monitor the connections (source IP + destination port) > of all connections to my server, can i use ipfw? I assumed that the OP was familiar with ipfw. BTW, Spades: If you `allow' any packets before that rules, they will not be matched by the rules suggested. In short, IPFW only processes a packet until it matches a allow/deny rule, and then takes action and stops processing. You should add the `log' keyword to any rule where you allow (or deny) a connection. If you use a `count log logamount 0 tcp from any to any setup' before any other rules, you should be logging all the TCP connections while you can later allow or deny in your ruleset. However, that wouldn't be too informative, as it wouldn't say if the connection was accepted. --=20 DoubleF Alexander Graham Bell is alive and well in New York, and still waiting for a dial tone. --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBfcgJwo7hT/9lVdwRAtr4AJ44DpfIF9j1ViBuCiX3iRnJ8HdI7gCggjoa MrcCvLpp4ZwS7IRI46kCGOo= =uSg9 -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F--