[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Logging NAT

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Logging NAT
From: Alexander Bochmann <ab_(_at_)_lists_(_dot_)_gxis_(_dot_)_de>
Date: Thu, 20 May 2004 17:53:28 +0200

...on Thu, May 20, 2004 at 12:01:47PM +0200, Erik Norgaard wrote:

 > New danish law requires extensive logging for the fight against
 > terrorism, even small isp's with 100 users have to log. Of course

Are you shure you don't want to move somewhere else?
Hoarding connection data without any suspicion of 
unlawful activity is quite disproportionate, even in 
times of terrorism frenzy amongst lawmakers.

 > There are two problems: one that the connection may not be closed
 > properly. This requires me to log all packets and when the con-
 > nection expires extract the first and last. Does any one have a
 > better solution to that? Some combination with an IDS might be
 > favourable.

You might want to have a look at Argus, 
http://www.qosient.com/argus/

Being flow-based, Argus will give you the connection 
data (or a close approximation) for free, and there 
are multiple other uses for Argus audit data....

 > Second: Change of identity. This happens with nat when source or
 > destination ip/port is rewritten. Is it posible to add a log
 > statement to pf nat-rules, such that a log entry is written each
 > time an entry in the nat-table is added (and optionally removed)?

You will have to capture the flow data before NAT 
happens when using a solution external to the kernel.

Alex.

References:
- Logging NAT
  - From: Erik Norgaard

Prev by Date: disk performance
Next by Date: Re: front page -RESOLVED
Previous by thread: Re: Logging NAT
Next by thread: watchdog timeout with bge
Index(es):
- Date
- Thread

Visit your host, monkey.org