Re: IPFW logging brokeness?

• Previous message: Avleen Vig: "IPFW logging brokeness?"
• In reply to: Avleen Vig: "IPFW logging brokeness?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 May 2003 19:20:26 -0400 (EDT)
To: Avleen Vig <lists-freebsd@silverwraith.com>

you need to add "keep-state" to rule 100. this will populate the
state table so that the "check-state" rule will have a populated table to
check against.

try

add 100 allow log tcp from any to <my IP> <ports> keep-state limit
src-addr 2

jmb

On Fri, 30 May 2003, Avleen Vig wrote:

> I don't think I'm trying to do anything amazing, but IPFW's logging
> features are giving me a real headache. I can't find much in the
> archives either, but I find it hard to believe others havne't found this
> too.
>
> My rule:
> add 100 allow log tcp from any to <my IP> <ports> limit src-addr 2
>
> I want connecting parties to be able to form no more than 2 connection.
> This works perfectly, jsut as I'd expect it to.
> Except for 'log'.
>
> This rule matches every packet that comes in to the given IP and ports,
> and as a result, one line is added to the security log per packet. There
> are a lot of packets.
> I tried, adding an "add 50 check-state", but that rule doesn't match
> (the log just carries on logging packets because they match 100), which
> is very odd.
>
> All I want is to have the first packet match of a connection match, like
> IPF's "log first" capability.
>
> Or, better yet, is there a way to format a rule or set of rules, to say
> "deny if established connections is greater than 2".
> Logging every one of these packets would be fine.
>
> Any suggestions?
>
> --
> Avleen Vig "Say no to cheese-eating surrender-monkeys"
> Systems Admin "Fast, Good, Cheap. Pick any two."
> www.silverwraith.com "Move BSD. For great justice!"
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Avleen Vig: "IPFW logging brokeness?"
• In reply to: Avleen Vig: "IPFW logging brokeness?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages IPFW logging brokeness? ... I don't think I'm trying to do anything amazing, but IPFW's logging ... I want connecting parties to be able to form no more than 2 connection. ... This rule matches every packet that comes in to the given IP and ports, ... All I want is to have the first packet match of a connection match, ... (FreeBSD-Security) Re: peer to peer messaging ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ... (comp.lang.java.programmer) Re: IPFW Dynamic Rules ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ... (FreeBSD-Security) [NEWS] Cisco PIX TCP Connection DoS ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ... (Securiteam) Re: Nmap questions concering my router ... that may have to be fetched) is downloaded as one connection. ... >> all addresses (and may listen using just one interface to receive all ... sends packets to the correct protocol driver ... wire to an IP packet, and hands this to the IP driver which strips off ... (comp.security.firewalls)