Date: Thu, 13 Sep 2007 12:35:20 -0700 From: Chuck Swiger <cswiger@mac.com> To: Brian McCann <bjmccann@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Bridging and port mirroring Message-ID: <61ED3E7E-B30E-4665-98A9-F484A2345259@mac.com> In-Reply-To: <2b5f066d0709130929w7c4aa02ax4bc25282ff7122c5@mail.gmail.com> References: <2b5f066d0709130929w7c4aa02ax4bc25282ff7122c5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 13, 2007, at 9:29 AM, Brian McCann wrote:
> I've got a server with two nics configured for bridging and running
> bunches of ipfw rules. I'd like to add a 3rd NIC and have it mirror
> the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I
> can run an IDS on another server. Yes, I know that has the potential
> to overload nic3 if there is a lot of traffic going in and out of
> nic2, but that's not an issue for me.
>
> Has anyone done this before, or know how to do this?
You might get some traction from the "ipfw tee" command, although
that is intended for use together with a divert socket (ie, such as
bouncing the packets through natd). Otherwise, try looking into the
netgraph ng_tee node:
"DESCRIPTION
The tee node type has a purpose similar to the tee(1) command.
Tee nodes
are useful for debugging or ``snooping'' on a connection
between two net-
graph nodes. Tee nodes have four hooks, right, left,
right2left, and
left2right. All data received on right is sent unmodified to
both hooks
left and right2left. Similarly, all data received on left is
sent unmod-
ified to both right and left2right."
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61ED3E7E-B30E-4665-98A9-F484A2345259>