IPFW logging brokeness?

From: Avleen Vig (lists-freebsd_at_silverwraith.com)
Date: 05/31/03

  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?" 
    Date: Fri, 30 May 2003 15:22:55 -0700
To: security@freebsd.org

    I don't think I'm trying to do anything amazing, but IPFW's logging
    features are giving me a real headache. I can't find much in the
    archives either, but I find it hard to believe others havne't found this
    too.

    My rule:
    add 100 allow log tcp from any to <my IP> <ports> limit src-addr 2

    I want connecting parties to be able to form no more than 2 connection.
    This works perfectly, jsut as I'd expect it to.
    Except for 'log'.

    This rule matches every packet that comes in to the given IP and ports,
    and as a result, one line is added to the security log per packet. There
    are a lot of packets.
    I tried, adding an "add 50 check-state", but that rule doesn't match
    (the log just carries on logging packets because they match 100), which
    is very odd.

    All I want is to have the first packet match of a connection match, like
    IPF's "log first" capability.

    Or, better yet, is there a way to format a rule or set of rules, to say
    "deny if established connections is greater than 2".
    Logging every one of these packets would be fine.

    Any suggestions? 

    -- 
Avleen Vig                   "Say no to cheese-eating surrender-monkeys"
Systems Admin                "Fast, Good, Cheap. Pick any two."
www.silverwraith.com         "Move BSD. For great justice!"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jonathan M. Bresler: "Re: IPFW logging brokeness?"

    Relevant Pages

    • Re: WinRoute Pro
      ... the NAT table for I believe. ... packet logging shows some nice information but other times the ... when the connection is torn down from the client side ...
      (comp.security.firewalls)
    • Re: IPFW logging brokeness?
      ... this will populate the ... > I want connecting parties to be able to form no more than 2 connection. ... one line is added to the security log per packet. ... > All I want is to have the first packet match of a connection match, ...
      (FreeBSD-Security)
    • Re: peer to peer messaging
      ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
      (comp.lang.java.programmer)
    • Re: IPFW Dynamic Rules
      ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ...
      (FreeBSD-Security)
    • [NEWS] Cisco PIX TCP Connection DoS
      ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ...
      (Securiteam)