IPFW ipfw, logging, and dynamic rules

D

dkh

I expected that if I log on a stateful firewall with a typical dynamic rule to allow ssh setup like:

ipfw add 4000 skipto 9000 log logamount 0 tcp from any to $oip ssh in recv $oif setup keep-state

that the setup match would be logged, the dynamic rule would be created, and I would see one log record every time there is a new ssh connect.

What I am observing is that the dynamic rule gets created for somehost to $oip on port 22 with the log element. So every packet that matches the dynamic rule is logged, not just the setup. Many many many packets.

Is there any way to prevent logging within the dynamic rules to get the behavior I expected?


Thanks!
 
dkh said:
What I am observing is that the dynamic rule gets created for somehost to $oip on port 22 with the log element. So every packet that matches the dynamic rule is logged, not just the setup. Many many many packets.

Is there any way to prevent logging within the dynamic rules to get the behavior I expected?
Click to expand...

Before guesswork, please show a few of the logged lines. Is it the 4000 skipto?

Also, what happens at 9000? I'm wondering if 'allow log tcp ... setup keep-state' couldn't be moved to there, without logging the skipto?

Where is the check-state?

Maybe '# ipfw -ted show' result for lines 4000, 9000 and just after, will help see where the packet counting happens?
 
I was trying to avoid bringing in a lot of extraneous stuff :) Below it's actually 3000, I was posting from memory originally.

A few of the logged lines, one key press on the client equates to two logged packets...

Code: 
Jun 11 18:34:39 hostname kernel: ipfw: 3000 SkipTo 9000 TCP XXX:54287 YYY:22 in via igb0
Jun 11 18:34:40 hostname kernel: ipfw: 3000 SkipTo 9000 TCP YYY:22 XXX:54287 out via igb0
Jun 11 18:34:40 hostname kernel: ipfw: 3000 SkipTo 9000 TCP XXX:54287 YYY:22 in via igb0
Jun 11 18:34:40 hostname kernel: ipfw: 3000 SkipTo 9000 TCP YYY:22 XXX:54287 out via igb0

9000 is the nat for outbound packets.

The rule structure is pretty standard, ipfw is flushed and nat 1 is configured for use of an internal subnet for VMs. The relevant bits...

Code: 
01040 407 33303 reass ip from any to any in
01050 711 89695 count // pre check-state
01100 407 33303 nat 1 ip4 from any to any in recv igb0
01110   0      0 check-state :default
01120  84 10346 count // post check-state
01130   7   496 deny tcp from any to any established in recv igb0
02000   0     0 skipto 9000 tcp from any to any setup out xmit igb0 keep-state :default
02010  13  1634 skipto 9000 udp from any to any out xmit igb0 keep-state :default
02020   5   420 skipto 9000 icmp from any to any out xmit igb0 keep-state :default
03000 495 55963 skipto 9000 log tcp from any to YYY 22 in recv igb0 setup keep-state :default
:
# other rules for other ports and VMs
:
08998   7  1062 deny log tcp from any to any via igb0
08999  22  3504 deny log udp from any to any via igb0
09000 297 55330 nat 1 ip4 from any to any out xmit igb0
09001 675 84633 allow ip from any to any
65000   0     0 deny log ip from any to any // bad packet
65535  46  5458 deny ip from any to any

A few lines from ipfw -ted show

Code: 
03000  667  71995 Sun Jun 11 18:47:45 2023 skipto 9000 log tcp from any to YYY 22 in recv igb0 setup keep-state :default
:
:
09000  541 105094 Sun Jun 11 18:47:45 2023 nat 1 ip4 from any to any out xmit igb0
09001 1206 157159 Sun Jun 11 18:47:45 2023 allow ip from any to any
65000    0      0                          deny log ip from any to any // bad packet
65535   46   5458 Sun Jun 11 18:32:38 2023 deny ip from any to any
## Dynamic rules (1 152):
03000  667  71995 (300s) STATE tcp XXX 54287 <-> YYY 22 :default

As I said, the logging seems to be made part of the dynamic rule. If that is the case, it would be nice if there was a knob to disallow logging from the dynamic rules that I've just not found as yet.
 
Bump.

I can't nut this one out. This skipto ... keep-state method has always seemed weird to me.

Maybe if you didn't log those skiptos, then had 9000-9002 be 'allow log ... keep-state ' for those 3 protocols, then followed by the nat?

Or log the nat line instead?

Hoping someone who's used this sort of method can help.
 
Reviving this old thread due to my own interest in it.

Focusing only on the port 22 rules my understanding is that:
- The log option logs every packet that matches the rule criteria.
- A dynamic rule inherits certain properties from its parent(generally only those properties that occur before the rule body).
- To log just the setup, not the dynamic rule, do the following:
Note I have not tested in this specific context but do use something very similar so as to not log every packet.
Code: 
02999           count   log tcp from any to YYY 22 in recv igb0 setup
03000 495 55963 skipto 9000 tcp from any to YYY 22 in recv igb0 setup keep-state :default
 
Nice work around!

I've used count as kind of a no-op here and there but it never occurred to me to do the rule match twice.
 
You must log in or register to reply here.
Back
Top