What free/low-cost firewall solution best for logging all traffic?

Dear List

Subject: What free/low-cost firewall solution best for logging all traffic?

Background: We have a ADSL that we share, therefore we appear to the internet as if we all had the same IP. We have been faced with complaints from a large company that claims (most likely rightfully) that someone behind our IP number have been sharing a DVD movie to which they have the right. We don't know but most likely someone had a P2P file sharing running. We have asked people on our ADSL to stop doing that and that is the end of that - for now... We foresee the possibility that something similar might happen again. Therefore we would like to be prepared. Specifically we would like to log traffic, in a way that enable us to see who the Pirate is. This might not sound like a good idea to some people, but the alternative is that we all stand accused of being Pirates. We thought it might be possible to install some sort of free firewall, e.g. SmoothWall, on an old machine. We would then try to open all gates, turn off all security, but turn on a lot of traffic logging.

Question: Is it possible to use a firewall like that - To open all gates, but turn on a lot of traffic logging? Can SmoothWall do that? Is there a better (free) alternative?

Best Regards Martin£Hvidberg.net - Replace £ with something else...

Reply to
Martin Hvidberg
Loading thread data ...

If you can install a cheap Linksys Router that does NAT, you can then log all the in and out bound connections and view them in real time and summary mode - it's a great method.

The NAT router also keeps inbound connections from reaching the computers in your network without your computers contacting them first. P2P apps may let you PULL materials from the internet, but others will not be able to reach your pirate machine.

Reply to
Leythos

Sounds possible - but could be a hoax.

Maybe less hassle (for you) to place a firewall that blocks such traffic (p2p) between you and the shared network. Do you really want to be someone else's policeman? Handing over the logs may be an invasion of privicy in your location.

Reply to
William Tasso

....snip...

Where does a small box like that keep a large log like that, does it have a largen HDD?

We have no intentions to limit the use of the internet, nor do we have that authorethy.

:-) Martin

Reply to
Martin Hvidberg

Well, you just might try something like IPCop. Alternately, get a secure Linux distro or OpenBSD, install Snort (or, for those who really like to be basic about it, just tcpdump - Snort will require a bit of configuration), and put in a large disk. Either clean it from a cron job or do so manually, say every month.

Put this machine somewhere it can see the traffic - no problem if you have a hub (just connect it), or put it between a switch and the ADSL router, possibly in bridge mode - and it should work.

However, *I* would not support such a measure. Especially as long as being labelled as pirates has no practical consequences.

(In fact, I'd probably just do all my networking over an encrypted tunnel to wherever.)

That, and you'd need someone capable of reading logs. In whatever form, they are not immediately obvious to the uninitiated, even when using a good GUI like Ethereal.

Joachim

Reply to
Joachim Schipper

I wouldn't slam your last poster as hard as it (to my drunk, redneck eye) you were...

The Linksys solution isn't so bad, and no, it does NOT have a hard drive, but it does have some caching, logging ability. It also has the ability (like most devices these days) to port the log data to a syslog server (some of which CAN be downloaded for free, although many are only on a trial basis e.g. 30 days etc.).

also, if you don't have the authority to manage the Internet connection, how can you be held accountable if some deviant is misusing it??? such challenges do exist on occasion, but I have found most of them to be more of a perception than a reality.

you could also set up a proxy service through a desktop or server... by default, proxy logs all connections. However, proxies often introduce other connectivity challenges that NAT devices don't, but I didn't feel this thread out to be as technical as I did philisophical... (e.g. can we vs. how do we)....

on a side note... if you are not interested in chasing through a million lines of text to find your culprit, why not find out where the offending file was posted and then reverse engineer the protocol that was (or probably was) used... then log ONLY the few protocols that could have reasonably been used to do it (or, just log the traffic directed to the KNOWN (suspected) target server...?

on another note, if your users are using desktops, why not scan them all to see which ones have the clients installed that could have uploaded the file... even if you are in a fully portable environment (all users have laptops) you could write a logon script that scanned those computers at logon for such software).

your task at hand is not all that overwhelming. define paramaters and guidelines you need to contain yourself to and then pursue the most reasonable options that fit into that box (so to speak)...

okay.. all that typing made me thirsty. time for another Budweiser, BURP.

htredneck

Reply to
htredneck

It logs them to a pc on the network...

Reply to
gene martinez

The log inside the device is small - it has the option to be sent to a device that can record it. If you setup a logging computer, add in the free WallWatcher software, it will log every in/out bound connection/attempt and it will also log router messages.

If you don't have the authority to limit use then you also don't have authority to monitor or maintain it. If you are the administrator for the network you actually have authority to do anything you want to the network, including limiting access to P2P services.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.