Hi, all I tried to analyze log from netfilter to have a picture about my network's activity. I study and look around for days and found it's not easy. Here I what I found: 1. Most firewall use stateful inspection and log entry generated after connection terminated. Byte transfered included in log. It's easy for reporting. It seems that netfilter logging is based on packet header. If I want a connection information, I have to trace the log from 3 way tcp handshake until FIN ACK received. Is this true? If so, it's not friendly to reporting system. 2. The logging file will be very huge and hard to process. My network generated > 300M logfile in 1 day. And the log mixed with system entry. Can I send netfilter log to local0~local7? If yes, how can I do that? 3. I can tell the whether the log come from accept rule or drop rule. Is there a column for this? I can't find more detailed information. Thanks, Vincent Chen ----------------------------------------------------------------- Yahoo!奇摩造型精靈 最新的造型精靈簽名檔,讓信件獨具個人色彩! http://tw.avatar.yahoo.com/
