----- Original Message ----- From: "Zoran Kolic" <[EMAIL PROTECTED]> Sent: Sunday, November 02, 2003 9:39 PM
> Dear Drew! > You are absolutely right. > I made another rule: > > allow log tcp from any to any out setup keep-state > > and got 30K log in /var/log/ > security. This file was untou- You're logging every outbound packet from your machine. You'll either need a lot of disk space or have to purge your log files often to keep from running out of space. You probably don't want this once you're finished testing. > ched from installation, and has > 600 permission. But, look at: > > 65535 35 1468 deny ip from any to any This is the default rule unless you compile your kernel with the "DEFAULT_TO_ACCEPT" option. > gotten from "ipfw show". What > is this counting? Maybe nothing > for logging, but probe dial-up > during 1 minute gave it. It is > what I want to look at. It is > what make me nervous. Probably > not packets from the net, but > what they are? This rule will not log anything as there is no 'log' in the rule. It is counting all packets that don't match any rule above it. It is the *ONLY* rule until your firewall script is finished loading so it will always have a count unless you use 'ipfw zero' to clear it. Then it will still increment if a packet does not match one of the rules above. If you want to log all denied packets, just add a rule above it such as '$fwcmd add 65500 log deny ip from any to any'. Because I administer my machines remotely, I compiled my kernel with the DEFAULT_TO_ACCEPT option. That way when I'm fiddling with my rules, I don't lock myself out. As the last rule in my firewall script, I add the 'deny from any to any' rule I describe above. > You said, that verbose limit > of 3 is a little bit small. I > had idea, that it means: take > 3 identical inputs of the same > sort and stop! Not? Not quite. It means "stop logging after 3 matches on the rule". I suspect you're thinking that it will log 3 matches from 220.127.116.11 and 3 more matches from 18.104.22.168 on the same rule. No, 3 matches total no matter from which IP address. > Thanks for help! You're welcome. Drew _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"