Re: ip address in logs

To: debian-firewall@lists.debian.org
Subject: Re: ip address in logs
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Fri, 9 Aug 2002 16:24:30 -0700
Message-id: <[🔎] 20020809232430.GA1288@doorstop.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 1028931043.3216.16.camel@king>
References: <[🔎] 1028842777.1218.6.camel@peregrine> <[🔎] 1028931043.3216.16.camel@king>

* Gian Piero Carrubba (gpcarrubba@fare-impresa.org) [020809 15:45]:
> Il gio, 2002-08-08 alle 23:39, Hereward Cooper ha scritto:
> > I've just noticed that my logs from a webserver behind a firewall, say
> > the ip address of connections from outside the lan (i.e. traffic coming
> > through the firewall) is that of the firewall.
> > I'm sure that it didn't used to do that :)
> > 
> > How can I get it to log the true ip of the connection?
> 
> i'm not so sure you can... source address is rewritten as packets flow
> trough the firewall, so the only useful(?) action i can think about is
> to install an http proxy server on the firewall and relay on the proxy
> logs instead of the apache ones... well, some job playing with a sniffer
> could achieve the same results without the extra loading of a proxy you
> don't need...

Well, I'd say just the opposite.  Using a proxy of some sort, new
connections are made from the firewall to the webserver.  Using just
DNAT, only the *destination* address of the incoming packets is
rewritten (from the firewall's address to the webserver's address).  The
source remains unchanged, and reply packets go back to the original
source, but on the way out, the source addresses are "un-natted" back to
the firewall's external address.

Of course, that's the way it *should* work, but obviously not the way
it is set up in Hereward's network right now (otherwise his logs would
be fine).  My assumption is that your firewall has an external address
and uses DNAT to send incoming packets to a webserver with an internal
address.  Is my assumption wrong?  How is the network really set up?
What is your firewall actually doing?  just DNAT?  A combination of DNAT
and SNAT?  A proxy?

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Great spirits have always found violent opposition from mediocre minds. The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his intelligence."
  -- Albert Einstein

Attachment: pgpO5GXECuHan.pgp
Description: PGP signature

Reply to:

References:
- ip address in logs
  - From: Hereward Cooper <zadok@phreaker.net>
- Re: ip address in logs
  - From: Gian Piero Carrubba <gpcarrubba@fare-impresa.org>

Prev by Date: UNSUBSCRIBE
Next by Date: DNAT to multiple ip address on different server ?
Previous by thread: Re: ip address in logs
Next by thread: Stateful Packets :(
Index(es):
- Date
- Thread