SOLVED Re: [CLUE-Tech] turning on verbose logging for iptables?

[Dave Price]

On Wed, Jul 17, 2002 at 07:51:04PM -0600, David Anselmi wrote:
> Dave Price wrote:
>  >
> > I also like the suggestion about tcpdump on the firewall - just for
> > general principles!
> 
> Well, putting a NIC in promiscuous mode and running an extra service on 
> the box (and perhaps logging into it to play with the data) are probably 
> not things that security types would recommend for a firewall.  But if 
> you're not really paranoid and don't have a better place to put it, what 
> the heck?

If tcpdump is not running, is the NIC in promiscuous mode?  Does it
actually run as a service all the time?  Not sure how else I would see
what traffic was hitting the box otherwise. The traffic on the interface
is thru an ethernet switch, so i could not really snif that any other
way, could I? 

I tried the extra logging in iptables - set up logging of both the vpn
swtch in my co's Dallas office, and the ip of the windoze laptop inside
my LAN; worked great; just watched it long enough to see a few sessions
brought up and laid down.

Also tried "tcpdump -l -i any" and caught a session setup and shut down -
This did not work well _at_all_well_ while I was ssh'd into the
firewall and starting tcpdump from that window!, but when I went to
the basement and set up the tcpdump from the console, the results
were nearly identical in educational content.

I had a real need to see the vpn client in action close up, and it only
runs on windoze.  Seeing it from 'inside' the firewall was exactly
what was required, so that I could tell a client site what their cisco
firewall would have to accept from our folks vpn'ing out of their LAN.
A lot cheaper than a dozen programmers dialing from CA into an 800#
we pay for!

Anyway tcpdump is not active anymore; no need, and the little 486 with
16mb really can't do all that much at once!  Reminds me I better get in
gear and drop those extra logging chains before the 300mb drive
overflows.