[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: packet filter metalanguage
From:       avalon () coombs ! anu ! edu ! au (Darren Reed)
Date:       1992-12-14 1:46:28
[Download RAW message or body]

In some email I received from Jim Thompson, Sie wrote:
[...]
> 	The option would be "log", and would specify whether or not you
> 	syslog the packet the tripped that filter, as well as the
> 	action taken by the filter.
> 
> Syslog is probably the *wrong* mechanism, but I agree that some form
> of packet logging is desirable.  The user should be able to specify an
> IP address/port pair where all packets to be 'logged' are sent.

Or if you were using unix, maybe pass an fd which could be a file or a
socket...but that would need to remain open...

Also, I'd prefer to send the log message as a copy of the rejected
packet header prefixed by a timestamp (leaves option of making a nice
log report upto the logger) where it can be stored efficiently...

But how much logging is good ?  If someone can 'flood' you with thousands
of packets from a fake source, what good does the log do besides waste
your diskspace ?  I've seen people 'pick' on hosts which run the tcp
wrapper by using "finger @victim@innocent"...logging the successes makes
sense but the 'rejects' ??

Darren.

[prev in list] [next in list] [prev in thread] [next in thread]