ip-masq-log 1.0.2 review

Download
by rbytes.net on

This patch can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections. It's even p

License: GPL (GNU General Public License)
File size: 10K
Developer: Roberto Zunino
0 stars award from rbytes.net

This patch can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections.

It's even possible to log the name of the user who has opened the connection. This can be a useful security tool for many small networks that are hidden by a masquerading box if users cannot be totally trusted. It can be used with linux 2.2.17, 2.2.19, 2.2.20 and maybe other (future) 2.2.x versions.

With this information you can know, in the above scenario, that the connection masquerader.yourdomain.com:666 [-3-] ==> crackme.victim.com:31337 [-2-] was started by attacker.yourdomain.com [-1-] from port 1234.

Now please note that this is NOT enough: if attacker.yourdomain.com is a multiuser machine at that time there could be 100 users logged in. Moreover a malicious user could attack crackme.victim.com from attacker.yourdomain.com even without being logged in (with either cron or with a background job or... etc.).

Since we don't want the users being able to hide themselves in this way, the masquerader makes a IDENT query to the client and, if IDENT is available, adds the response to the log together with [-1-], [-2-] and [-3-].

It's therefore recommended (although it's optional) that you enable the IDENT service on all hosts on the internal network. Please note that if you restrict the IDENT service (e.g. with TCP wrappers) to the masquerader it won't work (exercise: can you understand why?). If your network configuration on the masquerader is OK, remote hosts won't be able to do IDENT queries (since they can't pass through the masquerader). Therefore allowing "everyone" to do IDENT queries on the clients should be safe enough. If you wish to allow remote hosts to do IDENT queries you can install a special IDENT server on the masquerade router, like pnidentd (for example).

What's New in This Release:
Update for linux 2.2.19

ip-masq-log 1.0.2 keywords