IPFW logging brokeness?

From: Avleen Vig (lists-freebsd_at_silverwraith.com)
Date: 05/31/03

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"
    Date: Fri, 30 May 2003 15:22:55 -0700
    To: security@freebsd.org

    I don't think I'm trying to do anything amazing, but IPFW's logging
    features are giving me a real headache. I can't find much in the
    archives either, but I find it hard to believe others havne't found this

    My rule:
    add 100 allow log tcp from any to <my IP> <ports> limit src-addr 2

    I want connecting parties to be able to form no more than 2 connection.
    This works perfectly, jsut as I'd expect it to.
    Except for 'log'.

    This rule matches every packet that comes in to the given IP and ports,
    and as a result, one line is added to the security log per packet. There
    are a lot of packets.
    I tried, adding an "add 50 check-state", but that rule doesn't match
    (the log just carries on logging packets because they match 100), which
    is very odd.

    All I want is to have the first packet match of a connection match, like
    IPF's "log first" capability.

    Or, better yet, is there a way to format a rule or set of rules, to say
    "deny if established connections is greater than 2".
    Logging every one of these packets would be fine.

    Any suggestions?

    Avleen Vig                   "Say no to cheese-eating surrender-monkeys"
    Systems Admin                "Fast, Good, Cheap. Pick any two."
    www.silverwraith.com         "Move BSD. For great justice!"
    freebsd-security@freebsd.org mailing list
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"