1. Using ipfw2dshield

The ipfw2dshield software is free and can be redistributed and/or modified under the terms of the GNU General Public License. A copy of the GPL should have been received along with this program (see COPYING).

The script is written for FreeBSD and Darwin (MacOS X). Installation and execution require root permission. To install run

	make install 

/usr/local/sbin/ipfw2dshield
/usr/local/bin/strpdate
/usr/local/bin/ipaddr
~/.ipfw2dshield.rc.sample

/usr/local/etc/ipfw2dshield.rc.sample

Note: The FreeBSD ports version does also accept /usr/local/etc/ipfw2dshield.rc as its configuration file. However, the preference is for ~/.ipfw2dshield.rc in case that both these files exist.

The script creates a stampfile in /var/tmp where it stores date and time information which will be accessed on a subsequent run to prevent multiple submission of log records. Hence this file should remain untouched for correct operation.

The executables and the sample configuration file can be removed by

	make uninstall

Usually ipfw2dshield is invoked without arguments. However, it recognizes a number of options which might be convenient for special purposes, e.g., for testing the configuration. Run 'ipfw2dshield  -h' to get some usage instructions.

2. The configuration variables

userid

Your DShield user ID if you have any, set to 0 otherwise.

mailto, mailcc, mailbcc

The 'To:', 'Cc:', and 'Bcc:' headers for mailing the report.

sender

Sets the 'From:' and 'Return-Path:' mail headers for the report. This is particularly useful if ipfw2dshield is run by cron and your reports are directly submitted to dshield.org.

drop_source, drop_source_TCP, drop_source_UDP, drop_source_ICMP

Lists of host or subnet IP addresses that are to be ignored for the report if they occur as the source of logged IP packets. Entries in the drop_source list are assumed to match any protocol, the others are protocol specific according to the list suffix.

An optional 'ports' modifier can be supplied for each list entry. The general form thus is

ip_address[:ports]

where 'ip_address' stands for

• a single host described by a dotted quad (e.g. 172.16.47.11) or
• a subnet characterized in the CIDR notation (e.g. 172.16.0.0/12),

and where 'ports' is a comma-separated list of port numbers or ranges. For example, an entry

192.168.50.0/24:53,137-139,49152-

would cause the script to ignore all logs of packets from 192.168.50.* sent on port 53, 137-139, or 49152-65535. If given in combination with the unspecific subnet 0.0.0.0/0 a 'ports' modifier applies to any IP address. ICMP packets do not use ports. However, if a 'ports' modifier is issued, logs of ICMP packets will be processed in the same manner as those of TCP/UDP packets where the source and destination port numbers are identified with ICMP types and codes, respectively.

drop_target, drop_target_TCP, drop_target_UDP, drop_target_ICMP

Exclusion lists corresponding to the previously described drop_source* lists, but specifying ignorable destinations of logged IP packets.

utc_timestamps

The time zone specification used for the output. Note that this variable does not imply assumptions for the timestamps of the input data read from the logs -- these are automatically understood in local time. Setting this value to "YES" will convert the timestamps to UTC, otherwise local time is preserved.

search

The expression that is searched for in the log lines.

logdir

The directory containing the logfiles, usually /var/log.

logbase

The basename of the logfiles to be inspected. For example, the value security is expanded to ${logdir}/security* and the files matching that pattern will be processed in their chronological order. Logs older than the current stampfile will be skipped. Logs whose modification time is more than 6 months in the past will be skipped.

stampfile

The name of the stampfile in /var/tmp, usually ipfw2dshield.

3. Caveats

4. Contact