From owner-freebsd-questions@FreeBSD.ORG Thu Sep 13 19:35:22 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1204616A417 for ; Thu, 13 Sep 2007 19:35:22 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id E50CC13C457 for ; Thu, 13 Sep 2007 19:35:21 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id CA8C3112554B; Thu, 13 Sep 2007 12:35:21 -0700 (PDT) Received: from relay14.apple.com (unknown [127.0.0.1]) by relay14.apple.com (Symantec Mail Security) with ESMTP id B4A832805D; Thu, 13 Sep 2007 12:35:21 -0700 (PDT) X-AuditID: 11807134-a8522bb0000024d5-70-46e990f95b22 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay14.apple.com (Apple SCV relay) with ESMTP id 2F6ED2804D; Thu, 13 Sep 2007 12:35:21 -0700 (PDT) In-Reply-To: <2b5f066d0709130929w7c4aa02ax4bc25282ff7122c5@mail.gmail.com> References: <2b5f066d0709130929w7c4aa02ax4bc25282ff7122c5@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <61ED3E7E-B30E-4665-98A9-F484A2345259@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Thu, 13 Sep 2007 12:35:20 -0700 To: Brian McCann X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-questions Subject: Re: Bridging and port mirroring X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2007 19:35:22 -0000 On Sep 13, 2007, at 9:29 AM, Brian McCann wrote: > I've got a server with two nics configured for bridging and running > bunches of ipfw rules. I'd like to add a 3rd NIC and have it mirror > the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I > can run an IDS on another server. Yes, I know that has the potential > to overload nic3 if there is a lot of traffic going in and out of > nic2, but that's not an issue for me. > > Has anyone done this before, or know how to do this? You might get some traction from the "ipfw tee" command, although that is intended for use together with a divert socket (ie, such as bouncing the packets through natd). Otherwise, try looking into the netgraph ng_tee node: "DESCRIPTION The tee node type has a purpose similar to the tee(1) command. Tee nodes are useful for debugging or ``snooping'' on a connection between two net- graph nodes. Tee nodes have four hooks, right, left, right2left, and left2right. All data received on right is sent unmodified to both hooks left and right2left. Similarly, all data received on left is sent unmod- ified to both right and left2right." -- -Chuck