Re: [Nufw-users] Questions about NuFW's logging

nufw-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nufw-users] Questions about NuFW's logging

From:	Eric Leblond
Subject:	Re: [Nufw-users] Questions about NuFW's logging
Date:	Wed, 18 Jun 2008 18:02:58 +0200
User-agent:	Mutt/1.5.18 (2008-05-17)

Hello,

On Wednesday, 2008 June 18 at 15:23:18 +0200, Johann Spies wrote:
> Our present firewall generates about 450 log entries per second after
> we changed the configuration to avoid accessive logging.  Our
> bandwidth will most probably more than double in the next year.
> 
> I doubt whether postgresql would be able to handle an input stream
> like that and keep up to date.

I think you are right. Even if it works for some time, the amount of
generated datas will cause the system to collapse.

> 
> We need to be able to stop a user's connection in real time.  At
> present we use programs to monitor the stateful tables in memory.  The
> problem we have is that that tables do not have information about
> users - it is ip-based.  
> 
> NuFw supply the information we need.  Our concern is how to handle
> that information with the huge amount of data that will be generated.

To kill all user's connections, you can use the fact that NuFW is able
to mark packet with user ID. Via CONNMARK usage it is thus possible to
mark connections with the userid. Hence, the destruction of all user's
connection is simply a drop of all connection tracking entry matching a
single mark.

> That brings me to the a question or two about NuFW's logging:
> 
> 1.  What triggers a log entry?

Start and end of connection trigger a log entry.

> 2.  When? When the connection starts, when it is terminated?

Start of a connection is triggered by the authentication of the packet by 
nuauth.
End of the connection is triggered by the destruction of the connection
in Netfilter connection tracking.

> 3.  If the log entry is generated after the termination of the
>     connection, how would we access the information regarding the
>     connection before it ends?

You can use a connections dump and use mark to get back to user account.
By the way you could use an external logging program to do that and
avoid to store all connections in SQL. 

INL, who's NuFW's editor, can provide professional development on this
issue. Don't hesitate to contact me in private about this subject.

> 4.  Have NuFw been tested with traffic similar to our situation?

Tests we've done some times ago show that NuFW can handle around 4000 new 
conn/s 
        http://www.nufw.org/Tests-de-performance-intensifs-sur.html
Based on recent tuning, the performance should have improved by a decent
factor.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

signature.asc
Description: Digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Nufw-users] Questions about NuFW's logging, Johann Spies, 2008/06/18
- Re: [Nufw-users] Questions about NuFW's logging, Eric Leblond <=
  - Re: [Nufw-users] Questions about NuFW's logging, Johann Spies, 2008/06/19

Prev by Date: [Nufw-users] Questions about NuFW's logging
Next by Date: Re: [Nufw-users] Questions about NuFW's logging
Previous by thread: [Nufw-users] Questions about NuFW's logging
Next by thread: Re: [Nufw-users] Questions about NuFW's logging
Index(es):
- Date
- Thread