RE: FW: monitor ALL connections to ALL ports

From: Maildrop (maildrop@qwest.net)
Date: 10/15/02 

Date: Tue, 15 Oct 2002 12:58:05 -0500
From: "Maildrop" <maildrop@qwest.net>
To: "Krzysztof Zaraska" <kzaraska@student.uci.agh.edu.pl>, "Mike Hoskins" <mike@adept.org>, "Maildrop" <maildrop@qwest.net>

Yep, this is exactly what I am looking for. All packets, is a bit heavy on
my hard drive :P This only works with tcp though, is there any thing to
watch udp packets (like the first packet from a host on a certain port?) I
know udp might be tougher, since it is stateless.

> -----Original Message-----
> From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl]
> Sent: Tuesday, October 15, 2002 10:57 AM
> To: Mike Hoskins; Maildrop
> Cc: freebsd-security@freebsd.org
> Subject: Re: FW: monitor ALL connections to ALL ports
>
>
> On Mon, 14 Oct 2002 14:58:50 -0700 (PDT)
> Mike Hoskins <mike@adept.org> wrote:
>
> > > I put these rule in:
> > > ipfw add count log all from any to any
> >
> > Is this rule before the other allow rules in your chain? Since the rule
> > chain is parsed on a first-match basis, you'll either need this rule
> > before all others or you'll need to add log entires to each of your
> > other rules.
>
> There's another problem I can see here: this setup will generate a log
> entry on EVERY packet, what is clearly an overkill. I think it would be
> more useful to log only opening of the connection; this can be
> accomplished using for example a 'setup' keyword, e.g.:
>
> # Allow access to our WWW
> ${fwcmd} add pass log tcp from any to ${oip} 80 setup
>
>
> --
> // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
> // Prelude IDS: http://www.prelude-ids.org/
> // A dream will always triumph over reality, once it is given the chance.
> // -- Stanislaw Lem
>
>
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: How to find out client physical location?
    ... It'd be somewhat easier if you had security setup for it, ... something like Ethereal to sniff the packets. ... There is also the "problem with the network, ...
    (alt.internet.wireless)
  • Re: FreeBSD 7, bridge, PF and syn flood = very bad performance
    ... I am using pf from 7.0-RELEASE FreeBSD 7.0-RELEASE ... FW Setup: As Bridge ... But the other thing we setup with PF is Altq. ... the CPU load goes high it drops heaps of packets. ...
    (freebsd-current)
  • Re: Packet filters
    ... > nature so I need to setup a firewall on the management interface. ... > handling any of the packets on the second interface. ...
    (freebsd-questions)
  • DNAT packets not getting to FORWARD chain
    ... Anyway, its a simple setup (the smoothwalls, fyi are a red hat flavour ... kernel 2.4.26, iptables v1.2.8) ... The chain policy count is zero, as are the counts for all rules in the ... packets supposedly been readdressed to 192.168.1.40 (an address I can ping ...
    (comp.os.linux.networking)
  • Re: [Full-Disclosure] Unusual request
    ... packets a second ... go through the setup of those - important to spend enough ... make an example website on the IIS, ... then use a few 'dir c:' and other "read information" from the IIS ...
    (Full-Disclosure)