[unisog] sample NAT logs and analysis tools (OBSD- fp)

Eric Pancer epancer at security.depaul.edu
Thu Apr 28 05:04:16 GMT 2005

Russell Fulton wrote on Thu, 2005-04-28 at 13:21:09 +1200...

> If you are running NAT how do you deal with the "we saw a portscan from
> IP x (where x is the external address of the firewall)" if it was not
> picked up by snort?

Hey Russell,

The pf(4) logs are in standard pcap(3) format; there's no seperate
type of logfile for NAT traffic. So you'll need to keep track of
what user is assigned to what IP address (probably with some sort of
table of MAC addresses stored hourly) and go from there.

I'm interested to hear how many users you'll have behind pf(4) and
what kind of preformance you'll be getting, so we'll chat off-list :)

> The residences are running NAT and using 10/8 address space.  We could,
> perhaps shoe horn them into existing address space in 130.216/16 but we
> are starting to feel a bit cramped.  Not in terms of total number of IPs
> but in having enough spare space to do big reoganisations.

Just make sure you understand pooling outbound addresses with pf; it
works great and I haven't seen it fall over on more than 50k
simultaneous connections at a local ISP. 

Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer at security.depaul.edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

More information about the unisog mailing list