[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: packet filter metalanguage
From: avalon () coombs ! anu ! edu ! au (Darren Reed)
Date: 1992-12-14 1:46:28
[Download RAW message or body]
In some email I received from Jim Thompson, Sie wrote:
[...]
> The option would be "log", and would specify whether or not you
> syslog the packet the tripped that filter, as well as the
> action taken by the filter.
>
> Syslog is probably the *wrong* mechanism, but I agree that some form
> of packet logging is desirable. The user should be able to specify an
> IP address/port pair where all packets to be 'logged' are sent.
Or if you were using unix, maybe pass an fd which could be a file or a
socket...but that would need to remain open...
Also, I'd prefer to send the log message as a copy of the rejected
packet header prefixed by a timestamp (leaves option of making a nice
log report upto the logger) where it can be stored efficiently...
But how much logging is good ? If someone can 'flood' you with thousands
of packets from a fake source, what good does the log do besides waste
your diskspace ? I've seen people 'pick' on hosts which run the tcp
wrapper by using "finger @victim@innocent"...logging the successes makes
sense but the 'rejects' ??
Darren.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic