Re: [fwAnalog] pass rules are listed as blocked?

From: Billy Newsom (billy~AT~nlcc.us)
Date: Thu Jun 26 2003 - 19:44:09 CEST


That looks like the way to do it. I will probably need two fwanalog.sh scripts, each with their own config files. The config files will have two different output directories. The shell scripts will have different parsing strings. Everything else is the same. Does that sound right?

Yes, this is FreeBSD 4.7 from ipf.log.

I sort of wish that I could make ipf send passed packet logs to a different logfile, anyway. But the zegrep parsing string should work.

I guess I could make one change to the one that is showing passed packets... I could make its TITLE say "Passed" instead of Blocked.

Billy

Balázs Bárány wrote:
> Hello,
>
> * Billy Newsom <billy~AT~nlcc.us> [2003-06-26 01:40]:
> 

>>Are things that are being passed (and logged) included in the analog

>
> It is possible for some kinds of firewalls that don't log this
> information.
>
> Are you using the freebsd parser? In that case, you could change the
> zegrep string " -> .+ PR.+len" to " b .+ -> .+ PR.+len" in fwanalog.sh in
> the freebsd() function.
>
> That would only list the blocked packets. If you want a report of passed
> packets separately, you would need to modify fwanalog.sh and create a
> separate output directory.
>
> Regards

This archive was generated by hypermail 2.1.5 : Fri Jun 27 2003 - 00:22:04 CEST