Firewall Wizards mailing list archives
Re: Pix 535 Logging
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 8 Nov 2006 14:04:58 -0500
-----Original Message----- Subject: [fw-wiz] Pix 535 Logging
We're currently getting a lot of CERT notifications for spammers operating
within our network - mainly
just students with 0wned machines, but we're looking into ways to automate
the procedure slightly.
Anyway, what I'm looking to do, and what I need help with.... I want to
know if it's possible to log all
outbound port 25 connection attempts, EXCEPT those that come from our
authorised MX's and mail servers.
AND I would like to be able to do this in addition to the normal logging
that takes place.
So, is it possible? Any thoughts and guidance you can provide are very much appreciated.
James, It's definitely possible. Ideally, you would want to log all firewall traffic and then use a log parser/analyzer to isolate and report on this traffic. But if I had to guess, I'd say that the daily firewall log for a residential university like Sunderland would be in the tens of gigabytes if not the hundreds, so you're probably not doing this on a whim. So my recommendation would be to use access-list with log level directives. Something like: access-list permit tcp any any 25 log level 3 These access-lists should be placed before the 'permit ip any any' rule or any other very general permit rule that might match and *after* the rules that allow traffic to/from your authorized mail servers. The logging level you set the access-list to should be the same or less than the general logging trap level you have set in your config. The advantage to this approach is it makes it easy to enable/disable logging of this specific traffic but it also makes it easy to move from logging this traffic to blocking this traffic if you decide to go that direction. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix 535 Logging James Burns (Nov 08)
- Re: Pix 535 Logging Brian Loe (Nov 08)
- Re: Pix 535 Logging James Burns (Nov 09)
- Re: Pix 535 Logging David Swafford (Nov 08)
- Re: Pix 535 Logging Paul Melson (Nov 09)
- <Possible follow-ups>
- Re: Pix 535 Logging Horvath, Kevin M. (Nov 08)
- Re: Pix 535 Logging Behm, Jeffrey L. (Nov 09)
- Re: Pix 535 Logging Brian Loe (Nov 08)