Quote:
Originally Posted by rossonieri#1
hi,
logging is your best friend - before the firewall doing the action.
example :
INPUT -i eth0 -p tcp -dport 22 -j LOG <then> action :
INPUT -i eth0 -p tcp -dport 22 -j ACCEPT/DROP?
HTH.
|
I suggest having TCPDUMP (or Snort) log to a flat file:
1. For each IP (if you're using static IPs within your LAN), run an instance of tcpdump, recording each IP's activity. When the month is up, replay the traffic and conduct an analysis of what traffic was captured and adjust your firewall policy accordingly.
2. Sniff your entire internal network range for a month, using tcpdump, then when the month is up, replay the traffic, filtering on each IP's traffic and adjust your firewall policy accordingly.
Sniffing traffic is better because you should be able to see all traffic. Unless you're logging before every firewall rule, you're not going to see everything...and I don't suggest logging all firewall traffic, unless you've a ton of hard disk space to burn. A firewall should used for perimeter security, IMO...a sniffer can be used as an audit tool to enhance a firewall policy.