IPFW logging brokeness?

From: Avleen Vig (lists-freebsd_at_silverwraith.com)
Date: 05/31/03

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"
    Date: Fri, 30 May 2003 15:22:55 -0700
    To: security@freebsd.org
    
    

    I don't think I'm trying to do anything amazing, but IPFW's logging
    features are giving me a real headache. I can't find much in the
    archives either, but I find it hard to believe others havne't found this
    too.

    My rule:
    add 100 allow log tcp from any to <my IP> <ports> limit src-addr 2

    I want connecting parties to be able to form no more than 2 connection.
    This works perfectly, jsut as I'd expect it to.
    Except for 'log'.

    This rule matches every packet that comes in to the given IP and ports,
    and as a result, one line is added to the security log per packet. There
    are a lot of packets.
    I tried, adding an "add 50 check-state", but that rule doesn't match
    (the log just carries on logging packets because they match 100), which
    is very odd.

    All I want is to have the first packet match of a connection match, like
    IPF's "log first" capability.

    Or, better yet, is there a way to format a rule or set of rules, to say
    "deny if established connections is greater than 2".
    Logging every one of these packets would be fine.

    Any suggestions?

    -- 
    Avleen Vig                   "Say no to cheese-eating surrender-monkeys"
    Systems Admin                "Fast, Good, Cheap. Pick any two."
    www.silverwraith.com         "Move BSD. For great justice!"
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"

    Relevant Pages

    • Re: WinRoute Pro
      ... the NAT table for I believe. ... packet logging shows some nice information but other times the ... when the connection is torn down from the client side ...
      (comp.security.firewalls)
    • Re: IPFW logging brokeness?
      ... this will populate the ... > I want connecting parties to be able to form no more than 2 connection. ... one line is added to the security log per packet. ... > All I want is to have the first packet match of a connection match, ...
      (FreeBSD-Security)
    • Re: peer to peer messaging
      ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
      (comp.lang.java.programmer)
    • Re: IPFW Dynamic Rules
      ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ...
      (FreeBSD-Security)
    • [Full-disclosure] Quick Blind TCP Connection Spoofing with SYN Cookies
      ... TCP uses 32 bit Seq/Ack numbers in order to make sure that both sides of a connection can actually receive packets from each other. ... these numbers make it relatively hard to spoof the source address because successful spoofing requires guessing the correct initial sequence number which is generated by the server in a non-guessable way. ... This article shows that the effort required for guessing a valid ISN can be reduced from hours to minutes if the server uses TCP SYN Cookies, which are enabled by default for various Linux distributions including Ubuntu and Debian. ... The Client sends a SYN packet to the server in order to initiate a connection. ...
      (Full-Disclosure)