ipfw flooding in /var/log/ipfw.log

Sergey Zaharchenko doublef at tele-kom.ru
Mon Oct 25 20:45:26 PDT 2004 

On Mon, Oct 25, 2004 at 05:48:00PM +0300,
 Nikos Vassiliadis probably wrote:
> On Monday 25 October 2004 16:46, Spades wrote:
> > error:
> >
> > # ipfw add 900 allow log all from any to any setup
> > ipfw: unknown argument ``setup''
> 
> setup is available only for TCP connections. So
> ipfw add allow log logamount 0 tcp from any to any setup
> would be the correct one. But this is hardly what
> you want to do, since it matches only the three-way
> handshake TCP does. The rest of the stream will
> be dropped if your last rule(65535) is the default one
> (deny ip from any to any)
> 
> This will log every TCP connection setup, and let the rest
> of the stream flow:
> allow log logamount 0 tcp from any to any setup
> allow tcp from any to any
> 
> BUT this is not a firewall setup. It's just a TCP connection
> logger. You should do a little reading about TCP/IP, in order
> to understand how to setup a firewall.
> 

\From the start of this thread:
> I would like to monitor the connections (source IP + destination port)
> of all connections to my server, can i use ipfw?

I assumed that the OP was familiar with ipfw.

BTW, Spades: If you `allow' any packets before that rules, they will not
be matched by the rules suggested. In short, IPFW only processes a
packet until it matches a allow/deny rule, and then takes action and
stops processing. You should add the `log' keyword to any rule where you
allow (or deny) a connection.

If you use a `count log logamount 0 tcp from any to any setup' before
any other rules, you should be logging all the TCP connections while you
can later allow or deny in your ruleset. However, that wouldn't be too
informative, as it wouldn't say if the connection was accepted.

-- 
DoubleF
Alexander Graham Bell is alive and well in New York, and still waiting
for a dial tone.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041026/3fd638da/attachment.bin

More information about the freebsd-questions mailing list