[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Double checking ipfilter rules
From:       Rude Yak <rudeyak () yahoo ! com>
Date:       1999-06-22 13:17:03
[Download RAW message or body]

  Deepak -

  Your rules look fine; if you want to actually log all connection, you can do
one of the following:

  a) change your "pass in ..." rules to "pass in log ..."
  b) run "ipf -l pass"

Then, run ipmon and look for "K-S" at the end of a line (I believe that stands
for Keep-State).  If you run ipmon and log to syslog, make sure you have the
appropriate levels set for local0.xxxxx (assuming you used the default makefile
settings).  ipmon logs different types of packets to different log levels:

          LOG_INFO - packets logged using the  "log"  keyword  as
          the action rather than pass or block.

          LOG_NOTICE - packets logged which are also passed

          LOG_WARNING - packets logged which are also blocked

          LOG_ERR - packets which have been logged and which  can
          be considered "short".

By splitting the logs in syslog, you can theoretically separate "good"
connections from blocked packets.

  Good luck.

  Erick.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

[prev in list] [next in list] [prev in thread] [next in thread]