Re: A Question about FireWall logging

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrne2lq2p.fbq.ibuprofin@compton.phx.az.us...
> On Wed, 29 Mar 2006, in the Usenet newsgroup comp.security.firewalls, in
> article
> <xJrWf.7983$x94.7162@newsread1.news.pas.earthlink.net>, Duane Arnold
> wrote:
>
>><carkaci@gmail.com> wrote
>
>>> In our company, we enable only the ACCEPTED packet logging (cisco
>>> firewall) ? I wonder the advantage of deny or rejected pakets logging
>>> also i.e. (full logging). Any idea ? What type of analysis can be done
>>> at that time?
>
> It's useful when trying to debug a problem. User Jones says they can't
> connect to service $FOO on site $BAR, but they can connect to $FOO on
> $BAZ, or service $QUX on $BAR. Looking at 'deny/reject' logs may tell
> you what is wrong, and give a hint of how to fix it.
>
>>I would think the ability to get a total picture of all traffic hitting
>>the FW that's being rejected. I particularly like to keep track or keep
>>an eye on remote IP(s) the same IP coming at the FW numerous times and
>>run analysis reporting on how many times the same IP is coming at the FW
>>by day, week and month.
>
> If you can actually do something productive with the data, this might be
> valid.

What you see as being of use and what I see as being of use is like night
and day or day and night, whatever.

>
>>I have not done it that often maybe 3 or 4 times that I have set a rule
>>on my Watchguard that I denied specific IP(s) that were coming just a
>>little to hard, even if the unsolicited traffic was being rejected by
>>the FW.
>
> Your description is a little unclear, but the concept makes no sense.
> If the traffic is being blocked at the perimeter, who gives a flying
> what-ever. If it's _not_ being blocked at the perimeter, then "why not"?
>

You want to drive my car for me too????????

> Blocking a specific IP address??? Duane, as of the 15th, there were
> 2,257,589,720 _active_ IPv4 addresses in 72091 networks with 30853
> routings. If you're aware of IPv6, there are another 1429 networks
> there. Even blocking individual networks is insane. "You're wearing blue
> shoes, brown pants, a green shirt and a red hat, so you can't come in".
> You _allow_ specific addresses/networks to specific service, and block,
> deny, reject the rest BY DEFAULT. Are you aware that there are 137
> _other_ protocols besides TCP, UDP, and ICMP? I really doubt your firewall
> has a clue about IPComp (protocol 108 or 0x6c - per RFC2393) and rejects
> it by default - or did you put in a specific rule for that protocol?
>

Yeah, that's what I did. And what's any of this above have to do with
anything if I see the same IP coming at a port or port(s) and I want to do
it?

If I decide to block it I am going to set rule to do just that. If I want to
block IP 999.999.999.999 I am going to do it. Don't be getting into all the
protocol stuff with me as I know all about it. If I want to set a rule to
block an IP even if it's being blocked by DEFAULT, that's my business.

What concern of it is it to *you*????????????

>>It's just me, but I don't like flying half blind and want to see all
>>aspects of what's happening from time to time.
>
> Your firewall is blocking it - there are no Internet Police - and the
> packets are not causing you problems. Besides giving you something else
> to worry about - which might keep you from gaining weight, why else
> would you even care? Or do you really have that much extra time on your
> hands and are bored?
>

Look Old guy, I don't need you going off the deep end with your boxers in a
bind about this. :)

You're out of line here chief.

Duane :)
Received on Mon May 1 01:03:24 2006