[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Logging Question



For more illuminating debugging via logs, change "pass out on" to "pass
out log on", rerun your tests, and re-examine your logs.
Also, I think (maybe, possibly) that if you're hide-NATing (i.e., all
internal hosts leave with the IP address of the firewall's external
interface), that the NATing occurs before the filtering, and so you're
first "pass out" rule permits AIM, etc., because all outbound packets
look they are "from $ext_if".
I personally filter out undesirable destinations on the firewall's
internal interface (pre-NAT), and with "block return-rst" just so the
user gets an immediate deny instead of waiting for a time-out.
But, in the words of John Candy, "that's just me."
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf
Of Phusion
Sent: Friday, November 12, 2004 11:31 AM
To: [email protected]
Subject: Logging Question
I have a question about logging certain packets. On my internal
network I allow the following traffic outbound: tcp
21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I
can log all the blocked outbound traffic like to tcp and udp port
1214, 4662, and the rest. I'm having a problem because when I tried
AOL Instant Messenger, it should have been blocked, logged and not
been able to connect because it makes an outbound connection to tcp
port 5190 which isn't allowed, but it still works. This is what I have
right now in my config files.
/etc/inetd.conf
127.0.0.1:8021  stream  tcp     nowait  root    /usr/libexec/ftp-proxy
 ftp-proxy -n -u proxy -m 55000 -M 57000 -t 180
/etc/pf.conf
tcp_ports       = "{ 21, 22, 25, 53, 80, 110, 443, 5999 }"
block in all
block out log all
# for FTP
pass in on $ext_if inet proto tcp from any to $ext_if \
        port 55000 >< 57000 user proxy $tcpsrv_options $proto_options
for FTP
pass out on $ext_if inet proto tcp from $ext_if to any \
        port > 1023 $tcpsrv_options $proto_options
pass out on $ext_if inet proto tcp from $ext_if to any \
        port $tcp_ports $tcpsrv_options $proto_options
Let me know how I can log the outbound traffic that is blocked. Thanks.