IPFW Logging connections to specific IP address on internet

Bogadn

New Member


Messages: 3

Hello all!
I have FreeBSD server with ipfw (firewall and nat), with 2 nic: local network (eth0) and Internet (eth1).
I have task to log all connections (all ports and protocols) from local network to specific IP address on Internet.
Write log to /var/log/ip.log (example)

How can I do this task by ipfw ?

Now I temporary use "nohup tcpdump -i eth0 -v dst {IP on inet} -l -tttt >> /var/log/IPaddr.log &"
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,676
Messages: 30,585

You need to realize there's quite a difference between logging connections and capturing connections. Logging connections just records the source and destination IPs and ports, the protocols, the time and duration of the connection. Capturing records all packets, including their contents.
 
OP
OP
B

Bogadn

New Member


Messages: 3

You need to realize there's quite a difference between logging connections and capturing connections. Logging connections just records the source and destination IPs and ports, the protocols, the time and duration of the connection. Capturing records all packets, including their contents.
I know that use tcpdump for logging is a bad idea, but I beginner in freebsd and ipfw.
Maybe I must write command in ipfw some like this:
ipfw add pass log all from any to {externall IP}

I need to find a right way for logging.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,676
Messages: 30,585

Start by reading ipfw(8):
Code:
     log [logamount number]
             Packets matching a rule with the log keyword will be made
             available for logging in two ways: if the sysctl variable
             net.inet.ip.fw.verbose is set to 0 (default), one can use bpf(4)
             attached to the ipfw0 pseudo interface.  This pseudo interface
             can be created after a boot manually by using the following
             command:

                   # ifconfig ipfw0 create

             Or, automatically at boot time by adding the following line to
             the rc.conf(5) file:

                   firewall_logif="YES"

             There is no overhead if no bpf(4) is attached to the pseudo
             interface.

             If net.inet.ip.fw.verbose is set to 1, packets will be logged to
             syslogd(8) with a LOG_SECURITY facility up to a maximum of
             logamount packets.  If no logamount is specified, the limit is
             taken from the sysctl variable net.inet.ip.fw.verbose_limit.  In
             both cases, a value of 0 means unlimited logging.

             Once the limit is reached, logging can be re-enabled by clearing
             the logging counter or the packet counter for that entry, see the
             resetlog command.

             Note: logging is done after all other packet matching conditions
             have been successfully verified, and before performing the final
             action (accept, deny, etc.) on the packet.
 
OP
OP
B

Bogadn

New Member


Messages: 3

My variables /etc/rc.conf
Code:
firewall_enable=yes
firewall_script="/etc/ipfw.rules"
firewall_nat_enable=yes
firewall_logging=yes
/etc/sysctl.conf
Code:
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 1
If I add rule like this ipfw add pass log all from any to {externall IP} will it work and write to /var/log/security?
 
Top