IPFW logging brokeness?

From: Avleen Vig (lists-freebsd_at_silverwraith.com)
Date: 05/31/03

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"
    Date: Fri, 30 May 2003 15:22:55 -0700
    To: security@freebsd.org
    
    

    I don't think I'm trying to do anything amazing, but IPFW's logging
    features are giving me a real headache. I can't find much in the
    archives either, but I find it hard to believe others havne't found this
    too.

    My rule:
    add 100 allow log tcp from any to <my IP> <ports> limit src-addr 2

    I want connecting parties to be able to form no more than 2 connection.
    This works perfectly, jsut as I'd expect it to.
    Except for 'log'.

    This rule matches every packet that comes in to the given IP and ports,
    and as a result, one line is added to the security log per packet. There
    are a lot of packets.
    I tried, adding an "add 50 check-state", but that rule doesn't match
    (the log just carries on logging packets because they match 100), which
    is very odd.

    All I want is to have the first packet match of a connection match, like
    IPF's "log first" capability.

    Or, better yet, is there a way to format a rule or set of rules, to say
    "deny if established connections is greater than 2".
    Logging every one of these packets would be fine.

    Any suggestions?

    -- 
    Avleen Vig                   "Say no to cheese-eating surrender-monkeys"
    Systems Admin                "Fast, Good, Cheap. Pick any two."
    www.silverwraith.com         "Move BSD. For great justice!"
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"