Date: Fri, 16 Apr 2004 12:51:31 -0500 From: Ben Beuchler <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Identifying traffic logged by ipfw
I'm working on a new bridging firewall using ipfw on FBSD 5.1. The goal is to default to closed with a few exceptions. To test my ruleset, I end with this rule:
add 420 allow log ip from any to any
The idea is that by watching the logs I could see what protocols I forgot to create rules for. This is what I'm getting in the logs:
Apr 16 16:43:40 bfw kernel: ipfw: 420 Accept MAC in via em2
I'm guessing this means it's matching non-ip traffic, but I couldn't find any info to confirm this. Is there any sort of trick I could use to log the entire packet? Since nothing about the source or destination was logged, I don't have enough info to create a tcpdump filter. Perhaps some sort of divert rule?
I don't now about FreeBSD 5.1, but on -CURRENT I use follow patch for /sys/netinet/ip_fw2.c :
--- ip_fw2.c.orig Fri Dec 26 15:21:46 2003 +++ ip_fw2.c Sun Jan 25 22:45:45 2004 @@ -577,6 +577,16 @@
if (hlen == 0) { /* non-ip */
snprintf(SNPARGS(proto, 0), "MAC");
+ if (eh != NULL)
+ snprintf(SNPARGS(proto, 3),
+ " %02x:%02x:%02x:%02x:%02x:%02x
%02x:%02x:%02x:%02x:%02x:%02x 0x%04x",
+ eh->ether_dhost[0], eh->ether_dhost[1],
+ eh->ether_dhost[2], eh->ether_dhost[3],
+ eh->ether_dhost[4], eh->ether_dhost[5],
+ eh->ether_shost[0], eh->ether_shost[1],
+ eh->ether_shost[2], eh->ether_shost[3],
+ eh->ether_shost[4], eh->ether_shost[5],
+ ntohs(eh->ether_type));
} else {
struct ip *ip = mtod(m, struct ip *);
/* these three are all aliases to the same thing */
Thanks!
-Ben
-- Ben Beuchler There is no spoon. [EMAIL PROTECTED] -- The Matrix _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
-- Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277
pgp00000.pgp
Description: PGP signature
