In some email I received from Jim Thompson, Sie wrote:
> The option would be "log", and would specify whether or not you
> syslog the packet the tripped that filter, as well as the
> action taken by the filter.
> Syslog is probably the *wrong* mechanism, but I agree that some form
> of packet logging is desirable. The user should be able to specify an
> IP address/port pair where all packets to be 'logged' are sent.
Or if you were using unix, maybe pass an fd which could be a file or a
socket...but that would need to remain open...
Also, I'd prefer to send the log message as a copy of the rejected
packet header prefixed by a timestamp (leaves option of making a nice
log report upto the logger) where it can be stored efficiently...
But how much logging is good ? If someone can 'flood' you with thousands
of packets from a fake source, what good does the log do besides waste
your diskspace ? I've seen people 'pick' on hosts which run the tcp
wrapper by using "finger @victim @
innocent"...logging the successes makes
sense but the 'rejects' ??