[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Logging NAT

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Logging NAT
From: Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
Date: Thu, 20 May 2004 12:01:47 +0200 (CEST)

Hi,

New danish law requires extensive logging for the fight against
terrorism, even small isp's with 100 users have to log. Of course
the law is flawed because public libraries, government istitu-
tions, schools, universities and many others are excluded, but
thats another story.

(Currently) This has to be logged:

- Time of initiation of connection
- Time of closure of connection
- Identity of source
- Identity of destination
- Change of identity

There are two problems: one that the connection may not be closed
properly. This requires me to log all packets and when the con-
nection expires extract the first and last. Does any one have a
better solution to that? Some combination with an IDS might be
favourable.

Second: Change of identity. This happens with nat when source or
destination ip/port is rewritten. Is it posible to add a log
statement to pf nat-rules, such that a log entry is written each
time an entry in the nat-table is added (and optionally removed)?

Ok, I am not in a hurry, while the law has been passed the
logging guidelines are still being debated (yes - we first pass
the law, then we write it). And, the logging must be effective
from mid 2005.

Best regards, Erik

GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub  1024D/B02CC311 2004-04-05 Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
     Key fingerprint = 6C11 B9B1 52BD F16D 34AD  9893 D3EC E6DB B02C C311

Follow-Ups:
- Re: Logging NAT
  - From: Balazs Nagy
- Re: Logging NAT
  - From: Alexander Bochmann

Prev by Date: Re: OpenBSD Compatible USB CF Readers?
Next by Date: watchdog timeout with bge
Previous by thread: Re: CARP and and multiple PF rules
Next by thread: Re: Logging NAT
Index(es):
- Date
- Thread

Visit your host, monkey.org