[unisog] sample NAT logs and analysis tools (OBSD- fp)

Russell Fulton r.fulton at auckland.ac.nz
Thu Apr 28 01:21:09 GMT 2005


Hi Harry,

On Wed, 2005-04-27 at 20:41 -0400, Harry Hoffman wrote:
> Hi Russell,
> 
> On our firewall/proxies we run snort, arpwatch, squid, squidguard on the 
> internal side of things and also log everything we don't allow. Argus 
> would seem like a good choice as well.

If you are running NAT how do you deal with the "we saw a portscan from
IP x (where x is the external address of the firewall)" if it was not
picked up by snort?
> 
> Are you running NAT b/c of address space limitations? If not have you 
> considered just running pf/carp in bridging mode so that you can use 
> externally routable space and have failover?
> 
The residences are running NAT and using 10/8 address space.  We could,
perhaps shoe horn them into existing address space in 130.216/16 but we
are starting to feel a bit cramped.  Not in terms of total number of IPs
but in having enough spare space to do big reoganisations.

Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050428/57b4b89a/smime.bin


More information about the unisog mailing list