Date: Thu, 9 Feb 2006 19:53:20 -0800 From: Michael DeMan <michael@staff.openaccess.org> To: Shawn Saunders <saundersconsult@hotmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Trying to make a Host into a gigabit hub for testing Message-ID: <78B98AB7-53DF-4825-B861-BBB8890E918F@staff.openaccess.org> In-Reply-To: <BAY115-DAV1891BFB3E942B7849542A8BA010@phx.gbl> References: <BAY115-F27FDBF43C06E52B9B7431ABA0A0@phx.gbl> <BAY115-DAV1891BFB3E942B7849542A8BA010@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Buy a cheap managed switch and set one port up as a monitoring port
and dump all your IDS traffic there?
Michael F. DeMan
Director of Technology
OpenAccess Network Services
Bellingham, WA 98225
michael@staff.openaccess.org
360-647-0785
On Feb 7, 2006, at 7:38 AM, Shawn Saunders wrote:
> Hello,
>
> Based on the below configuration, does anyone have an idea of what
> I might be doing wrong?
>
> The following is a layout of the type of configuration, and I have
> tried
> one2many and hub, but was unable to obtain the desired results.
> Whenever I
> try to set multiple hooks to the same interface it fails, and
> trying to
> bring a group of interfaces to a virtual interface, and then take that
> virtual interface out multiple different interfaces, seems to fail
> (I can't
> even make the connection to the virtual interface to go to multiple
> outs.)
>
> I will have 11 interfaces inbound from 11 different networks.
> I will have 4 outbound to 4 different IDS's and sensors.
> I would like to have 11 interfaces come into a single virtual
> interface.
> This way I could run tcpdump and/or snort on the box itself and
> obtain quick
> info, and do validation of packet data, between the capture system
> and the
> IDS and sensors.
> I would like to redirect all the traffic from that one virtual
> interface to
> a group of 4 physical interfaces so the sensors can work on it.
>
> Here is a configuration I tried. Any comments or suggestions are
> appreciated.
> This initial script, only takes 3 input interfaces into a single
> virtual
> interface. This works.
> Then when I try to take that virtual interface and echo it out
> multiple
> interfaces, it fails.
>
> #!/bin/sh
> # Initialize and bring up all interfaces
> for i in 0 1 2 3 4 5 6 7 8 9 10 11
> do /sbin/ifconfig em$i up
> done
> for g in 0 1
> do /sbin/ifconfig bge$g up
> done
> /sbin/ifconfig fxp0 up
> # Load needed kernel modules
> /sbin/kldload /boot/kernel/ng_ether.ko
> /sbin/kldload /boot/kernel/ng_one2many.ko
> /sbin/kldload /boot/kernel/ng_fec.ko
> # Create Virtual Interface
> /usr/sbin/ngctl mkpeer fec dummy fec
> # Bind physical input interfaces to virtual interface
> /usr/sbin/ngctl msg fec0: add_iface '"em0"'
> /usr/sbin/ngctl msg fec0: add_iface '"em1"'
> /usr/sbin/ngctl msg fec0: add_iface '"em2"'
> # Set forwarding mode to mac address layer.
> /usr/sbin/ngctl msg fec0: set_mode_mac
> # Configure the virtual interface to deliver packets out the others
> ngctl mkpeer fec0: one2many upper one
> ngctl name fec0:upper secur
> ngctl connect bge0: secur: upper many0
> ngctl connect bge1: secur: upper many1
> ngctl msg secur: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1
> 1 ] }"
> # Set all interfaces Promisc mode and turn off autosrc routing
> for s in 0 1 2 3 4 5 6 7 8 9 10 11
> do /usr/sbin/ngctl msg em$s: setpromisc 1
> /usr/sbin/ngctl msg em$s: setautosrc 0
> done
> for t in 0 1
> do /usr/sbin/ngctl msg bge$t: setpromisc 1
> /usr/sbin/ngctl msg bge$t: setautosrc 0
> done
> #EOF
>
> Before sending 3 pings accross em2:
> gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ;
> netstat -I
> em2
>
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> bge0 1500 00:e0:81:32:f4:52 0
> 0 5
> 0 0
> bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 -
> 4 -
> -
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> bge1 1500 00:e0:81:32:f4:53 0
> 0 0
> 0 0
> bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 -
> 4 -
> -
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> fec0* 1500 00:04:23:c1:0e:50 11
> 0 0
> 0 0
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> em2 1500 00:04:23:c1:0e:50 41
> 0 5 0
> 0
> em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 -
> 4 -
> -
>
> After sending 3 pings accross em2:
> gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ;
> netstat -I
> em2
> Name Mtu Network Address Ipkts Ierrs Opkts
> Oerrs
> Coll
> bge0 1500 00:e0:81:32:f4:52 0
> 0 5 0
> 0
> bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 -
> 4 -
> -
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> bge1 1500 00:e0:81:32:f4:53 0
> 0 0
> 0 0
> bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 -
> 4 -
> -
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> fec0* 1500 00:04:23:c1:0e:50 15
> 0 0 0
> 0
> Name Mtu Network Address Ipkts Ierrs
> Opkts Oerrs
> Coll
> em2 1500 00:04:23:c1:0e:50 45 0
> 5 0
> 0
> em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 -
> 4 -
> -
>
> Shawn Saunders _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78B98AB7-53DF-4825-B861-BBB8890E918F>