I have to say - Simon, along with Charles posted on the list about a week ago and this is how I set mine up last week. I did pretty much the same thing Simon posted, except I took out the v (Verbosely log activity to syslog) out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was pushing 98% capacity in a matter of a few hours!
#1 Seems LaBrea is working just fine, too good actually because it is drawing in some active port scanning as well, just increases after they realized something (LaBrea) answered them back. could just change and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf to read tcp dst port 80 or 21) however I think I would rather just keep it the way it is. #2 It would work even better - say that when any IP that gets teergrubed LaBrea (or some other package?) could run a small script to stop logging anything else to do with that IP.. Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 -> 24.118.176.41 21 preferably I would not want this to show up in the log after the previous msg; Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) On Wed, 27 Feb 2002 11:14:28 -0500 Now with the changes I made, and uptime is over three days; Uptime: 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 my ramdisk is fine; /dev/ram1 4049 359 3690 9% /var/log That I can live with. Thanks again to all your help! Steve "Simon Bolduc" <[EMAIL PROTECTED]> wrote: > This is from the mailing list (modified slightly) - it is a little script > that greps your external IP and reconfigures LaBrea on an IP change: > > 1. Create /etc/LaBrea.in have it contain the following: > > dst host <IPADDR> > and tcp[2:2] & 0xfc00 == 0 > and not dst port (port # of any services you run that use ports below > 1024 like ssh or ftp or www) > > 2. Create /etc/LaBrea.scr it should contain the following: > > #!/bin/sh > > IPADDR=`ip addr list label eth0 | grep inet | \ > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > sed "s/<IPADDR>/$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > 3. Allow LaBrea.scr to be executable: > > chmod 744 /etc/LaBrea.scr > > 4. Edit the dhclient-exit-hooks to with the following changes: > > # Reload networking to see new address > reload_all > > Add a few lines so you have > > # Reload networking to see new address > reload_all > /etc/LaBrea.scr > svi LaBrea stop > svi LaBrea start > > 5. Back up dhclient and LaBrea - all done :) > > Just so you know the filter will block all ports below 1024 (which are the > ports that are normally denied automatically by Dachstein), make sure you > aren't running any services on those ports - or alter the bpf accordingly. > If you only have one IP address like I do here are the options that I use to > make sure my box doesn't proactively look for unused IPs (contained in the > LaBrea startup script): > > OPTIONS="-i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf" > > > Also everything is case sensitive in Linux - thus labrea and LaBrea are two > totally different words to the OS - so make sure you are typing things > correctly. You may just want to cut and paste. > > > HTH > S > > > > >From: "Craig Caughlin" <[EMAIL PROTECTED]> > >To: "LEAF" <[EMAIL PROTECTED]> > >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? > >Date: Wed, 27 Feb 2002 07:33:33 -0800 > > > >Hi folks, > >I'm confused (what else is new :-) ). Will LaBrea work with the "default" > >Dachstein CD (which acts as both a DHCP client & Server)? or would I need > >to > >change DCD for static addresses? I have my generic, Dachstein CD working > >O.K., and would like to incorporate LaBrea...but I can't seem to figure out > >if it will work with the default DCD. Thank you, have a great day! > > > >Craig > > > > > > > >_______________________________________________ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > _________________________________________________________________ > Join the world’s largest e-mail service with MSN Hotmail. > http://www.hotmail.com > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
