On Fri, Apr 16, 2004 at 12:51:31PM -0500, Ben Beuchler wrote:
Date: Fri, 16 Apr 2004 12:51:31 -0500
From: Ben Beuchler <[EMAIL PROTECTED]>
Subject: Identifying traffic logged by ipfw

I'm working on a new bridging firewall using ipfw on FBSD 5.1.  The goal
is to default to closed with a few exceptions.  To test my ruleset, I end
with this rule:

add 420 allow log ip from any to any

The idea is that by watching the logs I could see what protocols I forgot
to create rules for.  This is what I'm getting in the logs:

Apr 16 16:43:40 bfw kernel: ipfw: 420 Accept MAC in via em2

I'm guessing this means it's matching non-ip traffic, but I couldn't find
any info to confirm this.  Is there any sort of trick I could use to log
the entire packet?  Since nothing about the source or destination was
logged, I don't have enough info to create a tcpdump filter.  Perhaps some
sort of divert rule?

I don't now about FreeBSD 5.1, but on -CURRENT I use follow patch for /sys/netinet/ip_fw2.c :

--- ip_fw2.c.orig       Fri Dec 26 15:21:46 2003
+++ ip_fw2.c    Sun Jan 25 22:45:45 2004
@@ -577,6 +577,16 @@

        if (hlen == 0) {        /* non-ip */
                snprintf(SNPARGS(proto, 0), "MAC");
+               if (eh != NULL)
+                       snprintf(SNPARGS(proto, 3),
+                               " %02x:%02x:%02x:%02x:%02x:%02x 
%02x:%02x:%02x:%02x:%02x:%02x 0x%04x",
+                               eh->ether_dhost[0], eh->ether_dhost[1],
+                               eh->ether_dhost[2], eh->ether_dhost[3],
+                               eh->ether_dhost[4], eh->ether_dhost[5],
+                               eh->ether_shost[0], eh->ether_shost[1],
+                               eh->ether_shost[2], eh->ether_shost[3],
+                               eh->ether_shost[4], eh->ether_shost[5],
+                               ntohs(eh->ether_type));
        } else {
                struct ip *ip = mtod(m, struct ip *);
                /* these three are all aliases to the same thing */



Ben Beuchler                                           There is no spoon.
[EMAIL PROTECTED]                                            -- The Matrix
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

-- Dancho Penev

GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to