From owner-freebsd-questions Thu Dec 5 22:31:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5F2937B401 for ; Thu, 5 Dec 2002 22:31:42 -0800 (PST) Received: from portal.aphroland.org (portal.aphroland.org [216.39.174.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id D65C743EC2 for ; Thu, 5 Dec 2002 22:31:41 -0800 (PST) (envelope-from freebsd@aphroland.org) Received: by portal.aphroland.org (Postfix, from userid 1010) id 586B6278018; Thu, 5 Dec 2002 22:34:45 -0800 (PST) Received: from portal.aphroland.org (debian [127.0.0.1]) by portal.aphroland.org (Postfix) with SMTP id 09E17278017 for ; Thu, 5 Dec 2002 22:34:42 -0800 (PST) Received: from redhat.aphroland.org ([10.10.10.7]) (SquirrelMail authenticated user aphro) by webmail.linuxpowered.net with HTTP; Thu, 5 Dec 2002 22:34:42 -0800 (PST) Message-ID: <60998.10.10.10.7.1039156482.squirrel@webmail.linuxpowered.net> Date: Thu, 5 Dec 2002 22:34:42 -0800 (PST) Subject: Re: IPFW & Snort From: "nate" To: X-XheaderVersion: 1.1 X-UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021029 Phoenix/0.4 In-Reply-To: <000c01c29cdb$4f651270$1500a8c0@dogbert> References: <000c01c29cdb$4f651270$1500a8c0@dogbert> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-0.4 required=5.0 tests=IN_REP_TO,MSG_ID_ADDED_BY_MTA_3,QUOTED_EMAIL_TEXT, REFERENCES,SPAM_PHRASE_00_01 version=2.42 X-Spam-Level: X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.54 2002/02/15 16:59:07 bre Exp $ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Brian McCann said: > Simple question for you all...but it evades me. I'm trying to setup a box > that will monitor a network, but be totally invisible to that > network, but it needs an IP since it will be using some programs like > BigBrother and whatnot. So...my question is...if I use IPFW to block, for > example, all ports and effectively totally blocking TCP/IP, will Snort > still be able to capture TCP/IP packets? Has anyone tried/done this? I reccomend just using 3 NIC interfaces. run 2 of em in bridged mode, e.g. my home network is protected by a freebsd box running 4 NICs, 1 management(inside internal firewall), NICs 2 and 3 are bridging, NIC 2 is the firewall, NIC 3 is snort, NIC 4 is not being used. this way since all traffic goes accross 2 interfaces I can run snort on the "internal" one so it has no chance of detecting what is dropped on the "external" one. then behind that machine I have another machine doing the NAT. works great. nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message