Thread: [Fwbuilder-discussion] network definition clarification
Brought to you by:
mikehorn
From: Steve C. <cam...@cn...> - 2004-10-26 18:04:42
|
We get port scanned from a particular set of class C IPs. They are blocked, but I log all blocked packets for later review. These get quite numerous at times, so to avoid the logging, I created a rule to not log from this network. I defined a network as xxx.yyy.zzz.0 with a netmask of 255.255.255.0 I then defined a rule that says don't log and deny when: Source: this defined network Destination: any Service: any I still see these in my logs. Have I misunderstood something about Networks? Does anyone have a clue what I'm doing wrong? Have I defined this network properly? Thanks for any help on such a trivial question. Steve Campbell cam...@cn... Charleston Newspapers |
From: Vadim K. <va...@vk...> - 2004-10-27 06:23:54
|
On Oct 26, 2004, at 11:04 AM, Steve Campbell wrote: > We get port scanned from a particular set of class C IPs. They are > blocked, > but I log all blocked packets for later review. These get quite > numerous at > times, so to avoid the logging, I created a rule to not log from this > network. > > I defined a network as xxx.yyy.zzz.0 with a netmask of 255.255.255.0 > > I then defined a rule that says don't log and deny when: > > Source: this defined network > Destination: any > Service: any > > I still see these in my logs. Have I misunderstood something about > Networks? > Does anyone have a clue what I'm doing wrong? Have I defined this > network > properly? > > Thanks for any help on such a trivial question. the log entry should contain the number of the rule that matched and logged packet. It could be that the rule that matched the packet is above the rule that you describe here. Keep in mind that all interface policy rules are stacked on top of the global policy rules, so if you drop and log something in the policy of one of the interfaces, then rules in the global policy will never see this packet. --vk |