Magnus Månsson wrote: > >> >> As long as the firewall machine that runs iptables is the gateway >> from the lan to the internet and vice versa, this is already >> happening, iptables sees all the traffic in both directions, and can >> act on it was well, layer 4 and above. Nothing to add, no patch >> required. But, to have details in the logs of what is passing >> requires that you build and configure your rules properly, with log >> statements in your case being well defined and covering a number of >> common protocol ports. One issue you will face is that most of the >> traffic you are trying to monitor, is not well defined nor restricted >> to any common ports, which is whyyou have faced issues in preventing >> the traffic and even with a layer 7 module. >> >> Plan on having at least one person devoted to nothing but monitoring >> traffic and logs for sometime to get a handle on what your users are >> abusing. >> >> Of course common theory is that this kind of abuse is best handled at >> the HR level, a frewall is not the best place to hadle this kind of >> policy issue. >> >> Thanks, >> >> Ron DuFresne > But since my firewall are two redundant Cisco Pix 515E I dont use any > linux machine as a gateway, that's why I have the port mirroring in > the routing switch. And the goal is not to stop the "abusing" in the > firewall, only to detect and log it for later investigation when we > feel like we have the need. > > But thanks for the answer. .) > Have you looked at tcpdump or snort? It can do the same thing: monitor and log in promiscius mode... Regards, Victor
