On Fri, Aug 16, 2002 at 12:17:24AM -0500, taproot420 wrote:
> pass in quick on xl1 proto udp from 12.242.18.34/32 port = 67 to any
> port = 68 keep state
>
> is not present, my connection to the isp gets dropped. If the latter
> happens, and I have watched this, the client will then talk to
> 12.242.18.34, without broadcast, and get a new ip. If the rule above is
> present the ip renews and stays the same. I have had the same ip for
> days now with the rule.
Why don't you run,
# tcpdump -o /tmp/dhcp.pcap 'port 68' &
Sometime before your machine is set to renew. Check out exactly what
is happening. But again, I'll tell you what to expect, the client
should go ask the server for a renew and the server should respond.
> >Not sure what you mean here. Yes, you won't see a difference between a
> >"drop" or half-open scan versus a regular "connect" scan, but in
> >either case, you will see the scan (that initial SYN).
>
> I was told that if ,for example, I had "block in quick on sis1 proto
> tcp port = 21" ....and someone tried to telnet to my ip snort would not
> pick this up because the filter dropped it. Your saying this is not the
> case, so if I have "block in on sis1 all" I can still see all the
> attempts, scans etc.. that is thrown at me?
Yes. Like I said, bpf(4) comes before ipf(8). Have you ever used
tcpdump(8) to watch packets come in that get blocked by the firewall?
If tcpdump(8) can see 'em, snort will see 'em. I have a NIDS box
that's been running for... oh, a year and a half now, with the
following rules,
# $Id: ipf.rules,v 1.1 2001/03/26 22:08:28 root Exp $
#
# ipf.rules - cclark, 2001/03/26
#
# blossom needs more protection outside of the
# firewall
# Deny everything unless we pass it
block in all
block out all
# Protect loopback spoofing
pass in quick on lo0 all
pass out quick on lo0 all
block in log quick from 127.0.0.1/8 to any
block in log quick from any to 127.0.0.1
# Outgoing- allow everything, keep state when possible
pass out quick proto tcp/udp all keep state keep frags
pass out quick proto icmp all keep state keep frags
pass out quick all
# Incoming- allow only SSH, log everything else
pass in quick proto tcp from aaa.bbb.ccc.ddd to any port = 22
block in log quick all
#End
It runs Snort and SHADOW. It is not a bridge, but rather sits
listening to the wire between the border router and firewall (it's not
such a hot idea to run snort on the firewall), and it only has one
interface. Both Snort and SHADOW see everything, since both read the
packets from bpf(4), despite the 'block in log quick' rule.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
