[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 To:  SDamron <sdamron at gmail dot com>
 Cc:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Firewall rules
 Date:  Mon, 17 Jul 2006 20:36:04 -0400
On 7/17/06, SDamron <sdamron at gmail dot com> wrote:
> Totally agree with you on that, I was just trying to cut down on the
> time involved, guess I just need to do it :o)

There isn't really an easy way out, unfortunately.

One thing I would do is put in a very restrictive ruleset, syslog your
m0n0wall off to a *nix box of some sort (or you could do this with
Windows as well), and use tail -f on the log file, passed to grep
(maybe a few instances of grep as you want to narrow things down
more), to narrow down what you're seeing to things that are getting
dropped that may need to be permitted.  Leave a SSH session running
with that tail command, so you'll see when something gets dropped.

Or, you might want to check the log box on your default LAN permit
rule, so all passed traffic gets logged.  Log it off to a syslog
server, and let it run for however long you think is acceptable but
not too long or you'll have too much data to go through.  Then hack
together a script or something to process the log file.  I believe
there are also log analysis packages for ipfilter that should help,
should be able to find some with Google.