Re: IPFW logging and dynamic rules
On 10/5/05, jmulkerin <[EMAIL PROTECTED]> wrote: > How about using snort and guardian.Guardian.pl will add a ipfw rule > each time it sees an alert from Snort. You'll need to adjust the snort > rules for what you want to alert on but its a pretty safe and > lightweight asset. (just my novice 2 cents...) > Thanks, I'll look at Guardian. I had not planned to get that sophisticated about it, but even if I don't use it on this system, I have others where it may be just what I need. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging and dynamic rules
On 10/5/05, Alex de Kruijff <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
> > In FreeBSD 5.4R, I tried an IPFW configuration that includes something
> > like this (plus a lot of other rules):
> >
> >check-state
> >deny tcp from any to any established
> >allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
> > + other rules that use keep-state
[...]
> > Is there some way to get the first version to log only the initial
> > packet while still retaining the dynamic limit src-addr rule?
>
> Yes you could use count instead of allow.
>
> check-state
> count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
> allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
>
Thanks, I'll try that. I had overlooked the count option when I was
reading the man pages.
>
> Howto's based on my ppersonal use, including information about
> setting up a firewall and creating traffic graphs with MRTG
> http://www.kruijff.org/alex/FreeBSD/
>
And I will look over your tutorial as well. Thanks!
- Bob
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging and dynamic rules
How about using snort and guardian.Guardian.pl will add a ipfw rule
each time it sees an alert from Snort. You'll need to adjust the snort
rules for what you want to alert on but its a pretty safe and
lightweight asset. (just my novice 2 cents...)
John
Alex de Kruijff wrote:
On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
In FreeBSD 5.4R, I tried an IPFW configuration that includes something
like this (plus a lot of other rules):
check-state
deny tcp from any to any established
allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
+ other rules that use keep-state
When I do this, _every_ ssh packet is logged, in both directions. To
get it to log ONLY the initial connection, I had to give up on using
dynamic rules for ssh and instead do something like:
allow log tcp from any to ${my-ip} dst-port 22 setup
allow tcp from any to ${my-ip} dst-port 22 established
allow tcp from ${my-ip} 22 to any established
check-state
deny tcp from any to any established
+ other rules that use keep-state
So now I have lost the per-host ssh limit rule I wanted to include,
and I am filtering packets on flags that can be spoofed
("established") rather than the actual dynamic state of the
connection. Am I wrong to believe there is an advantage to this?
Is there some way to get the first version to log only the initial
packet while still retaining the dynamic limit src-addr rule?
Yes you could use count instead of allow.
check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging and dynamic rules
On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
> In FreeBSD 5.4R, I tried an IPFW configuration that includes something
> like this (plus a lot of other rules):
>
>check-state
>deny tcp from any to any established
>allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
> + other rules that use keep-state
>
> When I do this, _every_ ssh packet is logged, in both directions. To
> get it to log ONLY the initial connection, I had to give up on using
> dynamic rules for ssh and instead do something like:
>
>allow log tcp from any to ${my-ip} dst-port 22 setup
>allow tcp from any to ${my-ip} dst-port 22 established
>allow tcp from ${my-ip} 22 to any established
>check-state
>deny tcp from any to any established
> + other rules that use keep-state
>
> So now I have lost the per-host ssh limit rule I wanted to include,
> and I am filtering packets on flags that can be spoofed
> ("established") rather than the actual dynamic state of the
> connection. Am I wrong to believe there is an advantage to this?
>
> Is there some way to get the first version to log only the initial
> packet while still retaining the dynamic limit src-addr rule?
Yes you could use count instead of allow.
check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
--
Alex
Please copy the original recipients, otherwise I may not read your reply.
Howto's based on my ppersonal use, including information about
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging...
On Mon, Sep 20, 2004 at 10:27:22PM -0500, Eric F Crist wrote: > Hello all, > > I may no longer be subscribed, as I've had some mail server problems (I > moved), so please reply to me, as well. > > IPFW used to log all entries with the 'log' included in the rule, but > randomely, to me, anyways, stopped doing so. I can't seem to get it to > continue logging. > > Does anyone have any insight? I'm running FreeBSD 4.10 from about 2 > months ago. I'm going to cvsup tonight to see if it helps. what log > files can I check to verify things are working? Thanks. It's an feuture not a bug. I'm three years with FreeBSD and back then you could only have a firewall if you compiled it in. I never had a reason to change this. So i limit my explination tho that. You can control this behavure by changing you kernel configuation file. You proberbly have these lines in you config. You are looking for the last. You may be able to let it continu by changing 100 to 0, but i can't tell. If you do, then make sure you also edit /etc/newsyslog.conf so you don't endup with a large log file. options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging...
On Mon, Sep 20, 2004 at 10:27:22PM -0500, Eric F Crist wrote: > IPFW used to log all entries with the 'log' included in the rule, but > randomely, to me, anyways, stopped doing so. I can't seem to get it to > continue logging. > > Does anyone have any insight? I'm running FreeBSD 4.10 from about 2 > months ago. I'm going to cvsup tonight to see if it helps. what log > files can I check to verify things are working? Thanks. Are you just running into the verbose limit on log messages? That's the setting of the net.inet.ip.fw.verbose_limit sysctl. That exists to prevent anyone DOS-ing you by sending so many nasty packets that the log files fill up your disk. I find setting this to a fairly high number (1024) and doing a daily reset of the counters keeps the logging data coming through more or less smoothly. I put this in /etc/daily.local: #!/bin/sh PATH=/usr/bin:/bin:/sbin ; export PATH ipfw resetlog # # That's All Folks! # Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpy6vpENh3il.pgp Description: PGP signature
