Date: Mon, 14 Oct 2002 17:09:43 -0500 From: "Maildrop" <maildrop@qwest.net> To: "Crist J. Clark" <cjc@FreeBSD.ORG>, "Maildrop" <maildrop@qwest.net> Cc: freebsd-questions@freebsd.org Subject: RE: monitor ALL connections to ALL ports Message-ID: <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net> In-Reply-To: <20021014205437.GA21823@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I moved this thread to freebsd-questions@freebsd.org due to a request that
freebsd-security@freebsd.org was an inapropate place to discuss this issuse.
>On Mon, Oct 14, 2002 at 02:31:05PM -0500, Maildrop wrote:
>>
>> I put these rule in:
>>
>> ipfw add count log all from any to any
>>
>> I am getting messages in my log (/var/log/all.log) that appears like
this:
>> Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161
>> from 192.168.17.1:1166
>
>That's a log_in_vain message, not ipfw(8).
>
>> Which is exactly, what I want, but there is a couple isses:
>>
>> 1) It only logs "failed" connects. If I try to `telnet localhost 55`, it
>> will log that, but if I do a `telnet locahost 80` (where web server is
>> running) the connection is valid and doesn't log it.
>
>Right, that's how log_in_vain works.
>
(from tcp(4))
tcp.log_in_vain Log any connection attempts to ports where there is
not a socket accepting connections. The value of 1
limits the logging to SYN (connection establishment)
packets only. That of 2 results in any TCP packets
to
closed ports being logged. Any value unlisted above
disables the logging (default is 0, i.e., the
logging
is disabled).
'1' is limited to connection established (valid connections) and '2' is
limited to connection failed... how do I get both failed AND established
from log_in_vain? I want to log all connections, regardless if they failed
or successed, regardless if they have a daemon running on that port or not.
Currently, they are both set as '1':
net.inet.tcp.log_in_vain: 1
net.inet.udp.log_in_vain: 1
>> 2) How do I setup Syslog for this? ipfw man page says it logs to
>> LOG_SECURITY facility. I want to log all connections (failed or not),
into
>> one file..
>>
>> This is what I currently have in my syslogd.conf file (the log above I am
>> pulling from all.log):
>>
>> security.* /var/log/security
>> log.security /var/log/ipfw.log
>>
>> Both these files are empty :( I restarted syslogd.
>
>The second one should give you an error. The first one should catch
>ipfw(8) logging. You did rebuild your kernel with IPFIREWALL and
>IPFIREWALL_VERBOSE, right?
>
Yep. 4.7-release:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE #enable logging to
syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPSTEALTH #support for stealth
forwarding
Kernel that is currently running (from kernel config above, clean reboot and
didn't change anything sysctl):
net.inet.ip.fw.enable: 1
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 100
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 1000
net.inet.ip.fw.static_count: 7
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_grace_time: 10
net.link.ether.ipfw: 0
Something weird that I found:
hydra# ipmon -D /var/log/ipfw.log
/dev/ipl: open: Device not configured
hydra# file /dev/ipl
/dev/ipl: character special (79/0)
hydra# grep ipmon /etc/rc.conf
ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or
ipnat
ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
Is ipmon part of ipfw?
hydra# cd /var/log
hydra# ls -l ipfw*
-rw-r--r-- 1 root wheel 0 Oct 14 13:26 ipfw.log
-rw------- 1 root wheel 163 Oct 13 03:05 ipfw.today
-rw------- 1 root wheel 151 Oct 12 03:07 ipfw.yesterday
hydra# cat ipfw.log
hydra# cat ipfw.today
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65535 0 0 deny ip from any to any
hydra# cat ipfw.yesterday
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65535 0 0 deny ip from any to any
hydra# ipfw list
00050 divert 8668 ip from any to any via dc1
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65100 count log logamount 100 ip from any to any
65535 deny ip from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop>