On Thu, 8 Mar 2001, Arto Huusko wrote:

> I just checked, BTW, ipmon once I noticed I still have logging
> enabled, but it contained no entries for today and yesterday.
> Although, is there a limit for logged packets in /dev/ipl?

Probably because your "block in quick" (no "log") overrides the "block
in log" at the top of the file.

The general idea is to either pass by default, and block specific
things, or block by default, but pass specific things. It would also
by more efficient (and easier to parse by humans, too) if you were to
take advantage of the "head"/"group" feature.

Here's a small start...

block in log on ne1 from any to any head 1
  block in quick on ne1 from 127.0.0.0/8 to any group 1
  pass in quick on ne1 from any to any port = http group 1
  pass in quick on ne1 from any to any port = ssh  group 1

block out log on ne1 from any to any head 2
  block out log quick on ne1 from 127.0.0.0/8 to any group 2
  pass out quick on ne1 proto icmp from any to any head 2
  pass out quick on ne1 proto udp from any to any head 2
  pass out quick on ne1 proto tcp from any to any keep state head 2

and so on.

What you get from the first group is that a packet arriving on ne1
from 127.x.x.x won't even be logged, but anything else arriving on any
port but 80 and 22 will be blocked and logged. For the second,
anything that doesn't fit the last three lines of your config (not
sure what that would be) will be blocked and logged, but at least
spoofed packets will be blocked and logged, as well.

To see the logged packets, you need to start "ipmon". You will also
need to have the daemon.info facility turned on in /etc/syslog.conf,
which it is in a stock system, with the messages set to go to
/var/log/messages.


Frederick