On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
> In FreeBSD 5.4R, I tried an IPFW configuration that includes something
> like this (plus a lot of other rules):
>
> check-state
> deny tcp from any to any established
> allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
> + other rules that use keep-state
>
> When I do this, _every_ ssh packet is logged, in both directions. To
> get it to log ONLY the initial connection, I had to give up on using
> dynamic rules for ssh and instead do something like:
>
> allow log tcp from any to ${my-ip} dst-port 22 setup
> allow tcp from any to ${my-ip} dst-port 22 established
> allow tcp from ${my-ip} 22 to any established
> check-state
> deny tcp from any to any established
> + other rules that use keep-state
>
> So now I have lost the per-host ssh limit rule I wanted to include,
> and I am filtering packets on flags that can be spoofed
> ("established") rather than the actual dynamic state of the
> connection. Am I wrong to believe there is an advantage to this?
>
> Is there some way to get the first version to log only the initial
> packet while still retaining the dynamic limit src-addr rule?
Yes you could use count instead of allow.
check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
--
Alex
Please copy the original recipients, otherwise I may not read your reply.
Howto's based on my ppersonal use, including information about
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
