* firewall logging
@ 2003-06-06 8:08 Ľuboš Šoltés
2003-06-06 8:35 ` Jamie Harris
2003-06-07 4:18 ` Stephen Satchell
0 siblings, 2 replies; 4+ messages in thread
From: Ľuboš Šoltés @ 2003-06-06 8:08 UTC (permalink / raw)
To: linux-admin
Hi there
I do have a question, or rather a problem.
I need to get logs from a firewall (iptables) for every
PC in the LAN. Something like 'source IP time/date destination
IP/port packet size' Is something like this possible with
iptables? I had a proxy running, but it was too slow, and
I need to log EVERYTHING, not just www/ftp.
thx for help
Lubos Soltes
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: firewall logging
2003-06-06 8:08 firewall logging Ľuboš Šoltés
@ 2003-06-06 8:35 ` Jamie Harris
2003-06-06 8:45 ` Ľuboš Šoltés
2003-06-07 4:18 ` Stephen Satchell
1 sibling, 1 reply; 4+ messages in thread
From: Jamie Harris @ 2003-06-06 8:35 UTC (permalink / raw)
To: ¼uboš Šoltés; +Cc: linux-admin
You might want to look into Ulog, take a surf to http://www.gnumonks.org .
But yeah - it is possible although have you considered exactly how much
data your going to end up storing? I hope you have plenty of disk space!
Jamie...
> Hi there
>
> I do have a question, or rather a problem.
>
> I need to get logs from a firewall (iptables) for every
> PC in the LAN. Something like 'source IP time/date destination
> IP/port packet size' Is something like this possible with
> iptables? I had a proxy running, but it was too slow, and
> I need to log EVERYTHING, not just www/ftp.
>
> thx for help
>
> Lubos Soltes
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
** This message was transmitted on 100% recycled electrons **
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: firewall logging
2003-06-06 8:35 ` Jamie Harris
@ 2003-06-06 8:45 ` Ľuboš Šoltés
0 siblings, 0 replies; 4+ messages in thread
From: Ľuboš Šoltés @ 2003-06-06 8:45 UTC (permalink / raw)
To: Jamie Harris; +Cc: linux-admin
thx for the tip ... no need for much space ... it will
be flushed in regular intervals and compressed :-)
packets in the same stream need to be logged just as
one stream ...
bye
Lubos Soltes
On Fri, 6 Jun 2003 09:35:41 +0100 (BST)
"Jamie Harris" <jamie@jharris.homeip.net> wrote:
> You might want to look into Ulog, take a surf to http://www.gnumonks.org .
> But yeah - it is possible although have you considered exactly how much
> data your going to end up storing? I hope you have plenty of disk space!
>
> Jamie...
>
> > Hi there
> >
> > I do have a question, or rather a problem.
> >
> > I need to get logs from a firewall (iptables) for every
> > PC in the LAN. Something like 'source IP time/date destination
> > IP/port packet size' Is something like this possible with
> > iptables? I had a proxy running, but it was too slow, and
> > I need to log EVERYTHING, not just www/ftp.
> >
> > thx for help
> >
> > Lubos Soltes
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
>
> --
> ** This message was transmitted on 100% recycled electrons **
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: firewall logging
2003-06-06 8:08 firewall logging Ľuboš Šoltés
2003-06-06 8:35 ` Jamie Harris
@ 2003-06-07 4:18 ` Stephen Satchell
1 sibling, 0 replies; 4+ messages in thread
From: Stephen Satchell @ 2003-06-07 4:18 UTC (permalink / raw)
To: soltes, linux-admin
At 10:08 AM 6/6/2003 +0200, =?ISO-8859-2?B?pXVib7kgqW9sdOlz?= wrote:
> Hi there
>
> I do have a question, or rather a problem.
>
> I need to get logs from a firewall (iptables) for every
> PC in the LAN. Something like 'source IP time/date destination
> IP/port packet size' Is something like this possible with
> iptables? I had a proxy running, but it was too slow, and
> I need to log EVERYTHING, not just www/ftp.
I was in a similar situation not too long ago, and was looking at how to do
just what you are talking about. In refining the definition of the
problem, the issue was to find out where each PC on a Intranet was
going. So, running IPTABLES on my firewall computer, I defined a rule that
logged every outbound TCP SYN event, and then parsed /var/log/messages to
build a table of IP addresses. By concentrating on only the first packet
of the TCP establishment chain, I was able to keep the volume of log
entries down. Later, I added the refinement of also capturing RST events,
which allowed me to track attempts at hitting closed machines.
The direct benefit of the effort was locating computers running "phone
home" software. After all, when you have a slew of connections to the same
computer at port 80 at 3 in the morning, something is afoot!
--
"People who seem to have had a new idea have often just stopped having an
old idea." -- Dr. Edwin H. Land
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-06-07 4:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-06 8:08 firewall logging Ľuboš Šoltés
2003-06-06 8:35 ` Jamie Harris
2003-06-06 8:45 ` Ľuboš Šoltés
2003-06-07 4:18 ` Stephen Satchell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).