Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: having trouble reading ipf logs ... different than d ocumentation ?

From: Nick Evans <nevans () ibeam com>
Date: Fri, 2 Feb 2001 10:17:46 -0500 
What operating system? On some FreeBSD versions, if IPF is updated there are
two ipmon binaries, one from the original installation and one from the new
installation. This could be the issue.

Nick

-----Original Message-----
From: list tracker [mailto:list_tracker () hotmail com]
Sent: Thursday, February 01, 2001 2:36 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] having trouble reading ipf logs ... different than
documentation ?



Hello,

When I read the ipf howto:

http://www.obfuscation.org/ipf/ipf-howto.txt

I am old that I should expect logs in this format:

15:57:33.803147 ppp0 @0:2 b 100.100.100.103,443 -> 20.20.20.10,4923 PR tcp 
len 20 1488 -A

^^ This makes perfect sense.  (I see 100.100.100.103 talking to 20.20.20.10 
using tcp on port 443.  easy.)

But, when I run ipmon with this argument:

/sbin/ipmon -D -s  (to put the logs into syslog)

the messages I see in syslog look like this:

Feb  1 11:32:45 gateway ipmon[28872]: 11:32:45.403275 fxp1 @0:0 L 
126.6.37.39 -> 10.10.10.10 PR 162 len 0 (49185) frag 49185@384

I block telnet (port 22 tcp and udp) on my firewall, and I generated the 
above syslog entry by trying to telnet somewhere...anyway, the first thing I

notice is, there is no mention of port 22 in this entry.  Second, PR is 162 
instead of tcp ...

pretty much _all_ I can tell is that machine X on my network tried to 
communicate with machine Y, and it broke a rule that triggered a log.  I 
don't know what port, what protocol ...

What am I doing wrong / ignorant of ?

thanks,

LT
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: