Re: [m0n0wall] How to go up with a final M0n0Wall user (IP/MAC address) in case of trouble (network attack)?

From:	Josh <josh at nemesis dot net>
To:	m0n0wall at lists dot m0n0 dot ch
Cc:	mirassou at cict dot fr
Subject:	Re: [m0n0wall] How to go up with a final M0n0Wall user (IP/MAC address) in case of trouble (network attack)?
Date:	Tue, 28 Sep 2004 21:25:37 -0700

edited:
> Im am testing M0n0Wall for captive portal feature primarily.
> For example, a sysadmin tells us someone xxx.xxx.xxx.xxx (from us) hacks  
> his server on Sept 25 02:57:56.
> I would want to get the user IP Address.

There are two problems

1) NAT
If you have the address space avail one option is of course to not
use NAT at all (so connections won't come from the m0n0 IP).  If
that's not possible, the only option I can think of is to setup
a rule to log all outbound (allowed) connections - to a dedicated
syslog server.  You would need to make sure you have less connections
per second than the max the syslog can handle of course.  This insane
level of logging would be hard to deal with, but would give very
good detail on any security issues you have.  *shrug* ymmv

2) Dynamic addressing
In this way WiFi is like dialup - and the problem can be solved
in the same way using the captive portal feature and RADIUS auth.
(RADIUS was mainly developed to support dialup it seems).

Your radius logs should be able to tell you who authenticated when
and had what IP.  DHCP logs might be useful as well.

-josh