Thread: [Fwbuilder-discussion] Showing MAC addresses in the log
Brought to you by:
mikehorn
From: Bill C. <Bill@Explosivo.com> - 2004-07-29 14:30:22
|
Is there a way to have iptables / fwbuilder (not sure if its an option I am missing) record the MAC address in the log files also? Can this be done on a rule by rule basis? Thanks for any help Bill -- Bill Chmura w. http://www.fistfullofcode.com w. http://www.explosivo.com ------------------------------------------------------ Without good motivation, science and technology, instead of helping, bring more fear and threaten global destruction. Compassionate thought is very important for humankind. -His Holiness the Dalai Lama Wisdom does not mean knowledge but experiential understanding. Wisdom helps you to change radically your habits and perceptions, as you discover the constantly changing, interconnected nature of the whole of existence. -Martine Batchelor, "Meditation For Life" ------------------------------------------------------- |
From: Vadim K. <va...@vk...> - 2004-07-29 15:39:22
|
On Jul 29, 2004, at 7:30 AM, Bill Chmura wrote: > > Is there a way to have iptables / fwbuilder (not sure if its an option > I am > missing) record the MAC address in the log files also? Can this be > done on a > rule by rule basis? > now that you mention it, I've noticed that it sometimes logs MAC address and sometimes does not. I am not aware of any option for that, I think it is the default behavior. Here are two consecutive log entries from my own firewall: Jul 29 07:55:55 guardian kernel: RULE 14 -- DENY IN=eth0 OUT= MAC=00:e0:18:a8:80:1e:00:01:5c:22:89:02:08:00 SRC=213.76.155.5 DST=24.6.2.179 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=12533 DF PROTO=TCP SPT=1698 DPT=6882 WINDOW=64240 RES=0x00 SYN URGP=0 Jul 29 07:55:56 guardian kernel: RULE 14 -- DENY IN= OUT=eth1 SRC=10.3.1.1 DST=10.3.1.40 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60451 PROTO=ICMP TYPE=0 CODE=0 ID=8728 SEQ=39636 I think it does not log MAC addresses for packets that originate from the firewall itself. Packets that come from somewhere else have their MAC address logged. The record "MAC=00:e0:18:a8:80:1e:00:01:5c:22:89:02:08:00" consists of two mac addresses: source and destination. Here "00:e0:18:a8:80:1e" is MAC address of one of firewall's interfaces and "00:01:5C:22:89:02" is the router outside. So it looks like it puts destination first. --vk > Thanks for any help > > Bill > > -- > > Bill Chmura > > w. http://www.fistfullofcode.com > w. http://www.explosivo.com > > ------------------------------------------------------ > Without good motivation, science and technology, instead of helping, > bring > more fear and threaten global destruction. Compassionate thought is > very > important for humankind. > -His Holiness the Dalai Lama > > Wisdom does not mean knowledge but experiential understanding. Wisdom > helps > you to change radically your habits and perceptions, as you discover > the > constantly changing, interconnected nature of the whole of existence. > -Martine Batchelor, "Meditation For Life" > ------------------------------------------------------- > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
From: Bill C. <Bill@Explosivo.com> - 2004-07-29 15:52:49
|
I've noticed one of my systems with the same behavior... I am thinking on mine at least it logs mac addresses when the destination is the firewall itself and not being passed through. I'd like it to be consistant and log it for many many wonderful things. In this environment we often need to track down offenders on a very mobile dhcp'd network. Having a MAC would make it somewhat easier to prove who they are and track them down. On Thursday 29 July 2004 11:39 am, Vadim Kurland wrote: > On Jul 29, 2004, at 7:30 AM, Bill Chmura wrote: > > Is there a way to have iptables / fwbuilder (not sure if its an option > > I am > > missing) record the MAC address in the log files also? Can this be > > done on a > > rule by rule basis? > > now that you mention it, I've noticed that it sometimes logs MAC > address and sometimes does not. I am not aware of any option for that, > I think it is the default behavior. Here are two consecutive log > entries from my own firewall: > > Jul 29 07:55:55 guardian kernel: RULE 14 -- DENY IN=eth0 OUT= > MAC=00:e0:18:a8:80:1e:00:01:5c:22:89:02:08:00 SRC=213.76.155.5 > DST=24.6.2.179 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=12533 DF PROTO=TCP > SPT=1698 DPT=6882 WINDOW=64240 RES=0x00 SYN URGP=0 > > Jul 29 07:55:56 guardian kernel: RULE 14 -- DENY IN= OUT=eth1 > SRC=10.3.1.1 DST=10.3.1.40 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60451 > PROTO=ICMP TYPE=0 CODE=0 ID=8728 SEQ=39636 > > > I think it does not log MAC addresses for packets that originate from > the firewall itself. Packets that come from somewhere else have their > MAC address logged. > > The record "MAC=00:e0:18:a8:80:1e:00:01:5c:22:89:02:08:00" consists of > two mac addresses: source and destination. Here "00:e0:18:a8:80:1e" is > MAC address of one of firewall's interfaces and "00:01:5C:22:89:02" is > the router outside. So it looks like it puts destination first. > > --vk > > > Thanks for any help > > > > Bill > > > > -- > > > > Bill Chmura > > > > w. http://www.fistfullofcode.com > > w. http://www.explosivo.com > > > > ------------------------------------------------------ > > Without good motivation, science and technology, instead of helping, > > bring > > more fear and threaten global destruction. Compassionate thought is > > very > > important for humankind. > > -His Holiness the Dalai Lama > > > > Wisdom does not mean knowledge but experiential understanding. Wisdom > > helps > > you to change radically your habits and perceptions, as you discover > > the > > constantly changing, interconnected nature of the whole of existence. > > -Martine Batchelor, "Meditation For Life" > > ------------------------------------------------------- > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by BEA Weblogic Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 today. > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > _______________________________________________ > > Fwbuilder-discussion mailing list > > Fwb...@li... > > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 888.560.YWEB (9932) e: bill@Explosivo.com w. http://www.explosivo.com |