IPFW logging and dynamic rules
jmulkerin
jmulkerin at comcast.net
Wed Oct 5 06:32:03 PDT 2005
How about using snort and guardian. Guardian.pl will add a ipfw rule
each time it sees an alert from Snort. You'll need to adjust the snort
rules for what you want to alert on but its a pretty safe and
lightweight asset. (just my novice 2 cents...)
John
Alex de Kruijff wrote:
>On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
>
>
>>In FreeBSD 5.4R, I tried an IPFW configuration that includes something
>>like this (plus a lot of other rules):
>>
>> check-state
>> deny tcp from any to any established
>> allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
>>+ other rules that use keep-state
>>
>>When I do this, _every_ ssh packet is logged, in both directions. To
>>get it to log ONLY the initial connection, I had to give up on using
>>dynamic rules for ssh and instead do something like:
>>
>> allow log tcp from any to ${my-ip} dst-port 22 setup
>> allow tcp from any to ${my-ip} dst-port 22 established
>> allow tcp from ${my-ip} 22 to any established
>> check-state
>> deny tcp from any to any established
>>+ other rules that use keep-state
>>
>>So now I have lost the per-host ssh limit rule I wanted to include,
>>and I am filtering packets on flags that can be spoofed
>>("established") rather than the actual dynamic state of the
>>connection. Am I wrong to believe there is an advantage to this?
>>
>>Is there some way to get the first version to log only the initial
>>packet while still retaining the dynamic limit src-addr rule?
>>
>>
>
>Yes you could use count instead of allow.
>
>check-state
>count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
>allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
>
>
>
More information about the freebsd-questions
mailing list