log NAT translations
Kevin Wilcox
kevin.wilcox at gmail.com
Thu Jan 27 17:00:06 UTC 2011
Hello all. I've been using FreeBSD 7.x and 8.x for bridged firewalls
and logging hasn't been an issue. Now I'm moving one of them to NAT
and I suddenly realise I have a major problem - I can't log the actual
translations.
Consider the following:
Client A - 10.1.1.1
Client B - 10.1.2.2
Remote server C - some IP out on the Internet
Inside firewall interface: 10.1.2.254
Outside firewall interface: 192.168.1.1
The sysadmin for C comes to me and says, "hey, someone from
192.168.1.1, source port 12345, is banging on my server on port 80."
I go to the logs for my firewall, logging on both interfaces. The log
for the inside interface shows connections from clients A and B going
to C on port 80 with source ports 30000 and 40000.
I go to the log for the outside interface and see connections going
from 192.168.1.1 to server C, destination port 80, source ports 12345
and 23456.
My problem is that I can't tie the inside IP:port to the translated
IP:port, so while I can narrow it down to a couple of internal IPs, I
can't pinpoint which client is being civil and which one is causing
the problem.
Before I write something to interpret state changes from pfsync, can
anyone offer guidance on how to pull those translations?
Thanks!
kmw
More information about the freebsd-pf
mailing list