As long as the firewall machine that runs iptables is the gateway from
the lan to the internet and vice versa, this is already happening,
iptables sees all the traffic in both directions, and can act on it
was well, layer 4 and above. Nothing to add, no patch required. But,
to have details in the logs of what is passing requires that you build
and configure your rules properly, with log statements in your case
being well defined and covering a number of common protocol ports.
One issue you will face is that most of the traffic you are trying to
monitor, is not well defined nor restricted to any common ports, which
is whyyou have faced issues in preventing the traffic and even with a
layer 7 module.
Plan on having at least one person devoted to nothing but monitoring
traffic and logs for sometime to get a handle on what your users are
abusing.
Of course common theory is that this kind of abuse is best handled at
the HR level, a frewall is not the best place to hadle this kind of
policy issue.
Thanks,
Ron DuFresne
But since my firewall are two redundant Cisco Pix 515E I dont use any
linux machine as a gateway, that's why I have the port mirroring in the
routing switch. And the goal is not to stop the "abusing" in the
firewall, only to detect and log it for later investigation when we feel
like we have the need.
But thanks for the answer. .)
