Re: FW: monitor ALL connections to ALL ports

From: Krzysztof Zaraska (
Date: 10/15/02

Date: Tue, 15 Oct 2002 17:57:14 +0200
From: Krzysztof Zaraska <>
To: Mike Hoskins <>, "Maildrop" <>

On Mon, 14 Oct 2002 14:58:50 -0700 (PDT)
Mike Hoskins <> wrote:

> > I put these rule in:
> > ipfw add count log all from any to any
> Is this rule before the other allow rules in your chain? Since the rule
> chain is parsed on a first-match basis, you'll either need this rule
> before all others or you'll need to add log entires to each of your
> other rules.

There's another problem I can see here: this setup will generate a log
entry on EVERY packet, what is clearly an overkill. I think it would be
more useful to log only opening of the connection; this can be
accomplished using for example a 'setup' keyword, e.g.:

# Allow access to our WWW
${fwcmd} add pass log tcp from any to ${oip} 80 setup

// Krzysztof Zaraska * kzaraska (at)
// Prelude IDS:
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message