>>Is there a way to see how many packets are being handled by each rule
>>(similar to Cisco "show access-list x"), so I can play with the ordering
>>based on actual data? If not, what does it take go make it an RFE? :-)
>
>the 'log' keyword will syslog a notice each time the rule is hit.
>
>MZ
Yes, "log" works fine, and is the basis of our "more serious" alerts, such
as dialups trying to Telner our PMs. However, take a look at the output
from a Cisco (slightly edited...)
show access-list 101
permit tcp any any established (73048149 matches)
deny udp any any range 135 139 (176027 matches)
deny udp any any eq 2049 (164 matches)
deny udp any any eq sunrpc
permit udp any any (36431719 matches)
permit tcp any host 192.168.1.1 eq smtp (53081 matches)
permit tcp any host 192.168.1.1 eq 113 (240630 matches)
deny tcp any host 192.168.1.1 (520 matches)
deny tcp any any range 135 139 (407 matches)
deny tcp any any eq sunrpc
deny tcp any any eq 2049 (38 matches)
permit tcp any any (4749786 matches)
permit icmp any any (837948 matches)
"log"ing each rule will be a bit too hard on our poor syslog host... :-)
We can see that "established" matches the most traffic (pretty obvious,
but...) and that there are more UDP packets singled out than TCP, so
that's why I put them near the beginning of the filter. This is the kind
of output I'm looking for.
My problem is that this is the output of our "egress" router (so we use
the term more often, as per recent discussions either here or in
inet-access, I forget which... :-) ) and doesn't necessarily reflect the
behaviour of our dialup pool, since there are quite a few websites, Quake
servers, POP servers, ... that also use this router.
regards,
Fernando
-- Fernando da Silveira Montenegro Nutec Informatica System/Network Administrator Sao Paulo, SP, BRAZIL mailto:montenegro@nutec.com.br http://www.nutecnet.com.br voice.:+55-11-5505-5728 #include <disclaimer.h>