Subject: Re: splitting IPF-rules
To: Todd Gruhns Acct <tgruhn2@mail.com>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 05/03/2002 10:52:26
On Fri, May 03, 2002 at 10:03:48AM -0500, Todd Gruhns Acct wrote:
> I am having problems with IPF creating huge log files (2Mb +).
> Most if the logged events are of the "p" type. I would like to
> cut this way back since I am interested in who (or what) is attempting
> to whak my system. Below are the offending rules:
>
> pass out log quick on ppp0 proto tcp from any to any flags S keep state
> pass out quick on ppp0 proto tcp from any to any keep state keep frags
>
> # pass out log quick on ppp0 proto tcp from any to any flags S keep state keep frags
>
>
> The las rule is the original; I commented it, and replaced it with the first 2.
> How do I know if this makes a diff; and where are all the logged "p" type packets
> comming from? If they are being passed, should I be bothered?
Your first line says 'pass out log ...' asking for those pass'ed SYN
packets to be logged. Remove the word 'log'.
Additionally, in the logged line, the atom after the network interface
tells you which rule logged that line. You can use that to find the 'log'
instruction that generated the line.
from ipmon(8)
3. The name of the interface the packet was processed on, e.g., we1.
4. The group and rule number of the rule, e.g., @0:17.
These can be viewed with ipfstat -n.
--
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic...
- me