Date: Thu, 27 Jan 2011 11:33:51 -0500 From: Kevin Wilcox <kevin.wilcox@gmail.com> To: freebsd-pf@freebsd.org Subject: log NAT translations Message-ID: <AANLkTim9JeLdYpnUkruKZuGC9WVr-mk75xd62o9ML06q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all. I've been using FreeBSD 7.x and 8.x for bridged firewalls and logging hasn't been an issue. Now I'm moving one of them to NAT and I suddenly realise I have a major problem - I can't log the actual translations. Consider the following: Client A - 10.1.1.1 Client B - 10.1.2.2 Remote server C - some IP out on the Internet Inside firewall interface: 10.1.2.254 Outside firewall interface: 192.168.1.1 The sysadmin for C comes to me and says, "hey, someone from 192.168.1.1, source port 12345, is banging on my server on port 80." I go to the logs for my firewall, logging on both interfaces. The log for the inside interface shows connections from clients A and B going to C on port 80 with source ports 30000 and 40000. I go to the log for the outside interface and see connections going from 192.168.1.1 to server C, destination port 80, source ports 12345 and 23456. My problem is that I can't tie the inside IP:port to the translated IP:port, so while I can narrow it down to a couple of internal IPs, I can't pinpoint which client is being civil and which one is causing the problem. Before I write something to interpret state changes from pfsync, can anyone offer guidance on how to pull those translations? Thanks! kmw
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTim9JeLdYpnUkruKZuGC9WVr-mk75xd62o9ML06q>