Questions about NuFW's logging

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about NuFW's logging

Johann Spies
Our present firewall generates about 450 log entries per second after
we changed the configuration to avoid accessive logging.  Our
bandwidth will most probably more than double in the next year.

I doubt whether postgresql would be able to handle an input stream
like that and keep up to date.

We need to be able to stop a user's connection in real time.  At
present we use programs to monitor the stateful tables in memory.  The
problem we have is that that tables do not have information about
users - it is ip-based.  

NuFw supply the information we need.  Our concern is how to handle
that information with the huge amount of data that will be generated.

That brings me to the a question or two about NuFW's logging:

1.  What triggers a log entry?
2.  When? When the connection starts, when it is terminated?
3.  If the log entry is generated after the termination of the
    connection, how would we access the information regarding the
    connection before it ends?
4.  Have NuFw been tested with traffic similar to our situation?


Regards
Johann
--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "Jesus said unto her, I am the resurrection, and the
      life; he that believeth in me, though he were dead,
      yet shall he live."                 John 11:25


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Questions about NuFW's logging

Eric Leblond-3
Hello,

On Wednesday, 2008 June 18 at 15:23:18 +0200, Johann Spies wrote:
> Our present firewall generates about 450 log entries per second after
> we changed the configuration to avoid accessive logging.  Our
> bandwidth will most probably more than double in the next year.
>
> I doubt whether postgresql would be able to handle an input stream
> like that and keep up to date.

I think you are right. Even if it works for some time, the amount of
generated datas will cause the system to collapse.

>
> We need to be able to stop a user's connection in real time.  At
> present we use programs to monitor the stateful tables in memory.  The
> problem we have is that that tables do not have information about
> users - it is ip-based.  
>
> NuFw supply the information we need.  Our concern is how to handle
> that information with the huge amount of data that will be generated.

To kill all user's connections, you can use the fact that NuFW is able
to mark packet with user ID. Via CONNMARK usage it is thus possible to
mark connections with the userid. Hence, the destruction of all user's
connection is simply a drop of all connection tracking entry matching a
single mark.

> That brings me to the a question or two about NuFW's logging:
>
> 1.  What triggers a log entry?

Start and end of connection trigger a log entry.

> 2.  When? When the connection starts, when it is terminated?

Start of a connection is triggered by the authentication of the packet by nuauth.
End of the connection is triggered by the destruction of the connection
in Netfilter connection tracking.

> 3.  If the log entry is generated after the termination of the
>     connection, how would we access the information regarding the
>     connection before it ends?

You can use a connections dump and use mark to get back to user account.
By the way you could use an external logging program to do that and
avoid to store all connections in SQL.

INL, who's NuFW's editor, can provide professional development on this
issue. Don't hesitate to contact me in private about this subject.

> 4.  Have NuFw been tested with traffic similar to our situation?

Tests we've done some times ago show that NuFW can handle around 4000 new conn/s
        http://www.nufw.org/Tests-de-performance-intensifs-sur.html
Based on recent tuning, the performance should have improved by a decent
factor.

BR,
--
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Questions about NuFW's logging

Johann Spies
Hallo Eric,

On Wed, Jun 18, 2008 at 06:02:58PM +0200, Eric Leblond wrote:

> INL, who's NuFW's editor, can provide professional development on this
> issue. Don't hesitate to contact me in private about this subject.
>
> > 4.  Have NuFw been tested with traffic similar to our situation?
>
> Tests we've done some times ago show that NuFW can handle around 4000 new conn/s
> http://www.nufw.org/Tests-de-performance-intensifs-sur.html
> Based on recent tuning, the performance should have improved by a decent
> factor.

Thanks for your reply.  

Regards
Johann


--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "My son, if sinners entice thee, consent thou not."
                               Proverbs 1:10


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users