Re: IPFW logging and dynamic rules
On 10/5/05, jmulkerin <[EMAIL PROTECTED]> wrote: > How about using snort and guardian.Guardian.pl will add a ipfw rule > each time it sees an alert from Snort. You'll need to adjust the snort > rules for what you want to alert on but its a pretty safe and > lightweight asset. (just my novice 2 cents...) > Thanks, I'll look at Guardian. I had not planned to get that sophisticated about it, but even if I don't use it on this system, I have others where it may be just what I need. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging and dynamic rules
On 10/5/05, Alex de Kruijff <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
> > In FreeBSD 5.4R, I tried an IPFW configuration that includes something
> > like this (plus a lot of other rules):
> >
> >check-state
> >deny tcp from any to any established
> >allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
> > + other rules that use keep-state
[...]
> > Is there some way to get the first version to log only the initial
> > packet while still retaining the dynamic limit src-addr rule?
>
> Yes you could use count instead of allow.
>
> check-state
> count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
> allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
>
Thanks, I'll try that. I had overlooked the count option when I was
reading the man pages.
>
> Howto's based on my ppersonal use, including information about
> setting up a firewall and creating traffic graphs with MRTG
> http://www.kruijff.org/alex/FreeBSD/
>
And I will look over your tutorial as well. Thanks!
- Bob
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging and dynamic rules
How about using snort and guardian.Guardian.pl will add a ipfw rule
each time it sees an alert from Snort. You'll need to adjust the snort
rules for what you want to alert on but its a pretty safe and
lightweight asset. (just my novice 2 cents...)
John
Alex de Kruijff wrote:
On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
In FreeBSD 5.4R, I tried an IPFW configuration that includes something
like this (plus a lot of other rules):
check-state
deny tcp from any to any established
allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
+ other rules that use keep-state
When I do this, _every_ ssh packet is logged, in both directions. To
get it to log ONLY the initial connection, I had to give up on using
dynamic rules for ssh and instead do something like:
allow log tcp from any to ${my-ip} dst-port 22 setup
allow tcp from any to ${my-ip} dst-port 22 established
allow tcp from ${my-ip} 22 to any established
check-state
deny tcp from any to any established
+ other rules that use keep-state
So now I have lost the per-host ssh limit rule I wanted to include,
and I am filtering packets on flags that can be spoofed
("established") rather than the actual dynamic state of the
connection. Am I wrong to believe there is an advantage to this?
Is there some way to get the first version to log only the initial
packet while still retaining the dynamic limit src-addr rule?
Yes you could use count instead of allow.
check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW logging and dynamic rules
On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
> In FreeBSD 5.4R, I tried an IPFW configuration that includes something
> like this (plus a lot of other rules):
>
>check-state
>deny tcp from any to any established
>allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
> + other rules that use keep-state
>
> When I do this, _every_ ssh packet is logged, in both directions. To
> get it to log ONLY the initial connection, I had to give up on using
> dynamic rules for ssh and instead do something like:
>
>allow log tcp from any to ${my-ip} dst-port 22 setup
>allow tcp from any to ${my-ip} dst-port 22 established
>allow tcp from ${my-ip} 22 to any established
>check-state
>deny tcp from any to any established
> + other rules that use keep-state
>
> So now I have lost the per-host ssh limit rule I wanted to include,
> and I am filtering packets on flags that can be spoofed
> ("established") rather than the actual dynamic state of the
> connection. Am I wrong to believe there is an advantage to this?
>
> Is there some way to get the first version to log only the initial
> packet while still retaining the dynamic limit src-addr rule?
Yes you could use count instead of allow.
check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
--
Alex
Please copy the original recipients, otherwise I may not read your reply.
Howto's based on my ppersonal use, including information about
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPFW logging and dynamic rules
In FreeBSD 5.4R, I tried an IPFW configuration that includes something
like this (plus a lot of other rules):
check-state
deny tcp from any to any established
allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
+ other rules that use keep-state
When I do this, _every_ ssh packet is logged, in both directions. To
get it to log ONLY the initial connection, I had to give up on using
dynamic rules for ssh and instead do something like:
allow log tcp from any to ${my-ip} dst-port 22 setup
allow tcp from any to ${my-ip} dst-port 22 established
allow tcp from ${my-ip} 22 to any established
check-state
deny tcp from any to any established
+ other rules that use keep-state
So now I have lost the per-host ssh limit rule I wanted to include,
and I am filtering packets on flags that can be spoofed
("established") rather than the actual dynamic state of the
connection. Am I wrong to believe there is an advantage to this?
Is there some way to get the first version to log only the initial
packet while still retaining the dynamic limit src-addr rule?
Thanks,
- Bob
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
