Hello,
When I read the ipf howto:
http://www.obfuscation.org/ipf/ipf-howto.txt
I am old that I should expect logs in this format:
15:57:33.803147 ppp0 @0:2 b 100.100.100.103,443 -> 20.20.20.10,4923 PR tcp
len 20 1488 -A
^^ This makes perfect sense. (I see 100.100.100.103 talking to 20.20.20.10
using tcp on port 443. easy.)
But, when I run ipmon with this argument:
/sbin/ipmon -D -s (to put the logs into syslog)
the messages I see in syslog look like this:
Feb 1 11:32:45 gateway ipmon[28872]: 11:32:45.403275 fxp1 @0:0 L
126.6.37.39 -> 10.10.10.10 PR 162 len 0 (49185) frag 49185_at_384
I block telnet (port 22 tcp and udp) on my firewall, and I generated the
above syslog entry by trying to telnet somewhere...anyway, the first thing I
notice is, there is no mention of port 22 in this entry. Second, PR is 162
instead of tcp ...
pretty much _all_ I can tell is that machine X on my network tried to
communicate with machine Y, and it broke a rule that triggered a log. I
don't know what port, what protocol ...
What am I doing wrong / ignorant of ?
thanks,
LT
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Feb 01 2001
Intro
