LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Logging\Filtering Packets Through a Gateway (http://www.linuxquestions.org/questions/linux-software-2/logging%5Cfiltering-packets-through-a-gateway-104513/)

ASP 10-15-2003 11:47 PM

Logging\Filtering Packets Through a Gateway
 
Ok, here's my issue. People behind my firewall (who are technically incompetant) are giving out information about the internal network, and also executing commands that outside people tell them. They are talking to these people over MSN, AIM, those kinds of things. Sadly, these people are trying to find leaks in my firewall, so I am trying to stop them. I was wondering if it was possible to actively check all the appropriate packets for certain phrases or bits of information and drop the ones that contain it, and also log them?

What tools should I use? Any tutorials that would help?

Thoreau 10-16-2003 02:27 AM

No.

You can block ip's and ports. You can filter and disallow ports/processes. You cannot identify and decipher any piece of data on any given process/port/ip.

Ever try to snoop a SSH session on port 80? Not very helpful. And I pity the programmer that attempts to decipher the traffic. Here are some tools that you should look at.

Prelude IDS
SNORT
Nessus
SQUID
iptables and config tools(firestarter, etc.)
spamassassin(email)

If you want a precanned ham solution that attempts erroneously to identify and stop processes and their content, you can look at getting the Cisco Packetshaper. It's only 30K.

If you want a precanned linux solution that attempts to not do multiport/ip/process content filtering, you can try out clarkconnect firewall/mandrake multinetwork firewall/netmax firewall. All of the programs I listed above are built in. And the only free one there is from mandrake, so choice you weapon at will.

Good luck. And, are your users technically incompetant if they can use MSN/AIM/execute arbitrary commands? I don't think so. No, that's where the sysadmin gets canned. If I were you, I'd get to work.

ASP 10-21-2003 11:11 PM

Guess I block IPs then.

Thanks (I guess...) for the help.

P.S. They are incompetant. Almost anybody can figure out how to use MSN in no time, that's why it's popular. Also, If someone sat down at a computer, and you told them "Click Start->Run, Type "command" then type "<some command>" and tell me what it says", almost anybody could understand that. It's really not that hard.


All times are GMT -5. The time now is 09:11 PM.