[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Logging NAT
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Logging NAT
- From: Alexander Bochmann <ab_(_at_)_lists_(_dot_)_gxis_(_dot_)_de>
- Date: Thu, 20 May 2004 17:53:28 +0200
...on Thu, May 20, 2004 at 12:01:47PM +0200, Erik Norgaard wrote:
> New danish law requires extensive logging for the fight against
> terrorism, even small isp's with 100 users have to log. Of course
Are you shure you don't want to move somewhere else?
Hoarding connection data without any suspicion of
unlawful activity is quite disproportionate, even in
times of terrorism frenzy amongst lawmakers.
> There are two problems: one that the connection may not be closed
> properly. This requires me to log all packets and when the con-
> nection expires extract the first and last. Does any one have a
> better solution to that? Some combination with an IDS might be
You might want to have a look at Argus,
Being flow-based, Argus will give you the connection
data (or a close approximation) for free, and there
are multiple other uses for Argus audit data....
> Second: Change of identity. This happens with nat when source or
> destination ip/port is rewritten. Is it posible to add a log
> statement to pf nat-rules, such that a log entry is written each
> time an entry in the nat-table is added (and optionally removed)?
You will have to capture the flow data before NAT
happens when using a solution external to the kernel.
Visit your host, monkey.org