[unisog] sample NAT logs and analysis tools (OBSD- fp)

Chris Green cmgreen at uab.edu
Thu Apr 28 14:10:54 GMT 2005


On 4/27/05 7:15 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> On a more general note how do people deal with the problem of tracing
> traffic through Natted gateways?  Are there any tools available.

There doesn't seem to be a lot.  Over the summer, I looked at modifying
http://www.mindrot.org/pfflowd.html to work with the pfsync interface so
that rules created ala authpf would log the user id out on every connection.
The problem I ran into was that getting to the rule name from the pfsync
record for the output interface (after it was NAT'd) wasn't accessible.
This might have been modified in OpenBSD since.

In netfilter (linux) there's a conntrack module.  I'm not sure if it's
currently working but it's something you may wish to checkout.

> One of the things that I am considering is to not bother with the NAT
> logs at all but instead run Argus <www.qosient.com> on the inside
> interface of the firewall.

That would be good enough for most cases.  You might also have luck with
pfflowd logging to a netflow collector.

Please post what your eventual solution will be :)

Cheers,
Chris



More information about the unisog mailing list