From owner-freebsd-questions@FreeBSD.ORG Wed Apr 30 09:00:36 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F3A337B404 for ; Wed, 30 Apr 2003 09:00:36 -0700 (PDT) Received: from mail2.ruraltel.net (mail2.ruraltel.net [24.225.0.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 120E343FBF for ; Wed, 30 Apr 2003 09:00:35 -0700 (PDT) (envelope-from darryl@osborne-ind.com) Received: (qmail 23387 invoked by uid 204); 30 Apr 2003 16:00:33 -0000 Received: from darryl@osborne-ind.com by mail2.ruraltel.net by uid 201 with qmail-scanner-1.14 (. spamassassin: 2.53. Clear:SA:0(-6.2/5.0):. Processed in 1.707247 secs); 30 Apr 2003 16:00:33 -0000 X-Qmail-Scanner-Mail-From: darryl@osborne-ind.com via mail2.ruraltel.net X-Qmail-Scanner: 1.14 (Clear:SA:0(-6.2/5.0):. Processed in 1.707247 secs) Received: from unknown (HELO darryl) (24.225.31.189) by 0 with SMTP; 30 Apr 2003 16:00:31 -0000 From: "Darryl Hoar" To: Date: Wed, 30 Apr 2003 11:01:34 -0500 Message-ID: <000001c30f31$c6bc01d0$0701a8c0@darryl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 X-Spam-Status: No, hits=-6.2 required=5.0 tests=AWL,BAYES_10 version=2.53 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) X-Spam-Report: -6.20 points, 5 required; ---- DoubleCheck Scoring by Rule * -5.8 -- BODY: Bayesian classifier says spam probability is 10 to 20% [score: 0.1746] * -0.4 -- AWL: Auto-whitelist adjustment ---- End of Matching Rules X-Pyzor: Reported 0 times. X-DCC-MessageCare-Metrics: mail2.ruraltel.net 1108; Body=1 Fuz1=1 Fuz2=1 Subject: Firewall & Security Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: darryl@osborne-ind.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 16:00:36 -0000 Greetings, my firewall is running 4.4-stable. I have ipfilter configured and running. I have ipnat running. All the PC's on my line access our DSL line through the firewall. I have tripwire configured and running on my firewall. Due to some recent activity, I need to be able to monitor who is doing what on the internet. IE, maybe a DOS attack being launched through our connection, etc. More than likely, I have a user with Kazaa or some other service that is periodically pumping out quite a bit of data. What should I use to snoop this out? Should I connect something between the firewall and the ADSL router to log whats happening ? Any ideas greatly appreciated. This periodic activity brought our DSL throughput down to the point I was receiving calls. thanks, Darryl