From nobody Wed Dec 28 14:52:54 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NjRd070s2z2l7P8
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Thu, 29 Dec 2022 11:54:12 +0000 (UTC)
	(envelope-from otis@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NjRd06WJ0z3rg8
	for <freebsd-current@freebsd.org>; Thu, 29 Dec 2022 11:54:12 +0000 (UTC)
	(envelope-from otis@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1672314852;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tkPliJLVgZQRzAEEoslXPwGHfq4omEyzufnDw9kouvs=;
	b=sj9oEMrzQDhQagbo7GjMsgx69lYx+7sx676YeYDMLJN4EbjZjk58WDXc9b5xwQSRT0QBvo
	MMNaf4y2PBIc1nOPaAjHuo3vus3Ra98nnmbrsrChY9x2j1Qy+JsEg2s7n9PmhokqjmvFnL
	mQpDl3A/UBJOORbF0od1SO2UD/C/Tcy2XP4yUKcRqYnggpHpVZy//WBXwOQqQU7bsjfCFP
	uzjEdXYGVW3PHFA97/qpHw7LOe+AGwXqbItVvwgV0CqOrj5oOMi6ToqKCD7Mt7KV+perO2
	dykXNutn+V6rjl98F8E3pOQ7ZXXQ20BXKaroZ/RzwGqTmkwkYCLlhmg/2JLpug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1672314852;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tkPliJLVgZQRzAEEoslXPwGHfq4omEyzufnDw9kouvs=;
	b=k/1B6fqMFADHWm1jx8M1NRjcgNX7tlvVRIgSwJERKvfVU98qOl2tWrHMNfW69HHDKULhD+
	0lRN0sT6KupRRKyrttkKtbKT6KhR1RzXUTNaCFO3gD91o1iTNY/2R53tQDfeaEH1t0ELHm
	2QsOCLp9r7NtV1pRtjFaI+P8SJOVKFbnKUW8DgdtLYGlmB/2c0UhW7vBdSimR7464mQkF+
	0NMJevzHCe8eP3vpLqQME5fwDzuf75HT/39I5ooozmSViklQxLa4CigvoGAH4yP4FB0b7R
	cPkbj0n9F+doGHCuq4ZC8sZmDx62H7YTJPigV/l5Kira/liTXjw7UBUgSWjhIQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672314852; a=rsa-sha256; cv=none;
	b=okIH5PkJhhB4HcdxHVUrjDsCf9QwfqwOBEeWQbSXcHIRFwLvy7rjOPeqsnIM1ewU5bR2RV
	/Mwa37aEbNyr/hFskqBA/YgfsrUXWdUbOIc4mfgL+zMUhDOgxfTg8VUS5VIyjITORFC9qE
	jrJxoTPym9RfEm78gtVo62d3VMW9QKa9QlL3p9pZeeBa8OGEs6GJhHbelFGctKlSTdupsI
	9EPVngTKjMdgTlhVlnMvvt29WOekIUR+REIm+7+zDN5ZzPNloZfHPGIS+zl4tR2zMCxEaY
	EjmYGaNCEu3qzDUHv2nvZg2Lx/naeMmn8JpzKOkeSRdGJZcVbb64xwFJqkY4RA==
Received: from ns2.wilbury.net (ns2.wilbury.net [IPv6:2a01:b200:0:1:f816:3eff:fecd:13e6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "svc.wilbury.net", Issuer "R3" (verified OK))
	(Authenticated sender: otis)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4NjRd04pT0zsBQ
	for <freebsd-current@freebsd.org>; Thu, 29 Dec 2022 11:54:12 +0000 (UTC)
	(envelope-from otis@FreeBSD.org)
Received: by svc.wilbury.net (Postfix, from userid 125)
	id 20D0345D401; Thu, 29 Dec 2022 10:21:47 +0100 (CET)
Received: from smtpclient.apple (gw-upc.owhome.net [188.167.168.254])
	(Authenticated sender: juraj@lutter.sk)
	by svc.wilbury.net (Postfix) with ESMTPSA id DD7CB45D28C
	for <freebsd-current@freebsd.org>; Wed, 28 Dec 2022 15:52:54 +0100 (CET)
From: Juraj Lutter <otis@FreeBSD.org>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: native recording of all network connections on freebsd
Date: Wed, 28 Dec 2022 15:52:54 +0100
References: <b2ea51ee-3944-b8d7-e0a8-8e4f16ebb8f@macktronics.com>
 <CAEW+ogbJrKJR+QJ2hmzvAOTaX6YoftMT0GrEcqEOhwAMddczbg@mail.gmail.com>
To: FreeBSD Current <freebsd-current@freebsd.org>
In-Reply-To: <CAEW+ogbJrKJR+QJ2hmzvAOTaX6YoftMT0GrEcqEOhwAMddczbg@mail.gmail.com>
Message-Id: <96D7C087-7C42-420F-A032-A3430658EC52@FreeBSD.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS,
	SPF_HELO_NONE,SPF_SOFTFAIL,TW_PF autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on ns2.wilbury.net
X-ThisMailContainsUnwantedMimeParts: N



> On 28 Dec 2022, at 15:28, Sami Halabi <sodynet1@gmail.com> wrote:
>=20
> using firewall ike ipfw with rule to log any to any would be a start.. =
for advanced use, stateful fw so You can log start of connections

I would also consider using ng_netflow(4) with, for example, nfsend or =
even
logstash with netflow input module (and stored into elastic indexes),
visualized by kibana or other tools.


=E2=80=94
Juraj Lutter
otis@FreeBSD.org