With unsigned integers (at least under OpenBSD), the range of group
ID values is 0-65535. If the ID could be expressed as an unsigned long, some
clever ID values could be used to help hint at the reason for a log entry.
For example...
0xxxxx = Port-based rule groups on external interface; xxxxx = port number
with leading zeros suppressed (e.g. "head 22" would lead a rule
group dealing with SSH)
1xxxxx = Port-based rule groups on internal interface; xxxxx = port number
with leading zeros included (e.g. "head 100443" would lead a rule
group dealing with HTTPS)
2nxxxx = Generic rule group where n represents interface and xxxx is an
arbitrary number
4xxxxx = Port-based rule groups on DMZ interface; xxxxx = port number with
leading zeros included (e.g. "head 300110" would lead a rule group
dealing with POP3)
The values of 0, 1, and 4 aren't by accident. "0" looks like "O" as in
"Outside". "1" looks like "I" as in "Inside". Finally, "D" (as in "DMZ") is
the fourth letter of the (English) alphabet. Information encoded in the ID
value in this way is, of course, available elsewhere within the log record,
but a single numerical value is typically easier to parse. Just a thought...
Regards,
Mike
--
Michael T. Davis | Systems Specialist: ChE,MSE
E-mail: [EMAIL PROTECTED] | Departmental Networking/Computing
-or- [EMAIL PROTECTED] | The Ohio State University
http://www.er6.eng.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928
