Re: [fwAnalog] NetBSD

From: Balázs Bárány (balazs~AT~tud.at)
Date: Sat Aug 11 2001 - 09:23:50 CEST



Hi,

> Aug 7 20:35:11 wormhole ipmon[542]: 20:35:06.266243 2x rtk1
> ~AT~138:1 b xxx.xxx.xxx.xxx,www -> xxx.xxx.xxx.xxx,16793 PR tcp len 20 56325
> -A 194209914 3141330721 17339 IN

The only relevant difference to an OpenBSD log I see is the ",www" port. Everything else (ipf, ipchains, iptables) logs the port number numerically. So the regexps assume that port numbers are \d+ (numeric).

There are two options:
- Don't call ipmon with "-n"
- Change the '?(\d*)'-s in line 279 (under 7 and 9) of fwanalog.sh to   '?(\w*)' so fwanalog accepts letters on this position.

I think the first way is better as Analog does a better job resolving IP addresses and port numbers (using the nmap config) than your kernel. (Resolving IPs shouldn't be the job of a firewall, anyway.)

What is the default setting on NetBSD? -n or not?

This was the only problem I've found, aside from that, the OpenBSD parser works perfectly.

Please delete everything from the $outdir before you try it again, and make sure that you only give ipflogs to fwanalog which were created without "-n".

I hope this helps

-- 
_________________________________________________________________
Balázs Bárány     balazs~AT~tud.at     http://tud.at    ICQ 10747763

Computers. You can't live with them, you can't live without them.



This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 22:22:04 CEST