[ previous ] [ next ] [ threads ]
 From:  "Brett J. Carpenter" <Brett dot Carpenter at lehigh dot edu>
 To:  Francisco Reyes <lists at natserv dot com>
 Cc:  M0N0Wall firewall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Space requirements and logging
 Date:  Fri, 12 Dec 2003 19:00:47 -0500
I am running M0n0wall with a syslogd server in the configuration you seem to be
looking for it uses a AUI<->TP Transceiver crippled to only receive traffic. On
a freebsd box the configuration is rather straight forward just shut off all the
non-essential daemons. As mentioned you need to config in syslog.conf to accept
UDP packets from the m0n0wall IP and the logs will come in as local0 I have the
logs running to a line printer and archived on a CF card by newsyslog when they
reach a certain size. You must keep in mind that FLASH memory elements wear out
when frequently written to. The controllers spread the wear around the device
but eventually you will kill it if you write to it a lot. So don't stick your
firewall log directly in the flash device. Use some sort of
compression and write to a memory or maganetic device and archive as
infrequently as possable. Only trouble with this setup is that many of
the configurations m0n0wall is it will receive many Broadcasts from users on the
external network with windows spewing SMB traffic. This can drown your
interesting traffic with boring stuff, on a line printer this causes a lot of
trouble. You could cut this stuff out of the logs when the traffic comes into
the Syslog server but this is inelegant The elegant solution would be to modify
the rules on m0n0wall using exec.php but if you happen to block LAN traffic you
might be in trouble. If your lucky and your system isn't on your roof cooled by
10 gallons of oil in a ammo box then you could play with the rules
directly and if you messed something up and blocked traffic to the LAN interface
well just reflash and upload your config backup. To do so for me currently would
involve chipping the thing out of ice and the oil is messy :). It would be nice
if we could config in the GUI to quietly drop this stuff, currently we can
select a quiet drop but it will still hit the group rule and get logged. Hope
that gives some insight onto some possabilties and sorry about the
diversion at the end there. 

This mail sent through IMP: http://horde.org/imp/