From owner-freebsd-questions  Fri Dec  6  5:53:59 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F17D837B401
	for <questions@FreeBSD.org>; Fri,  6 Dec 2002 05:53:57 -0800 (PST)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E2BC443EA9
	for <questions@FreeBSD.org>; Fri,  6 Dec 2002 05:53:56 -0800 (PST)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id gB6DrXA6087168;
	Fri, 6 Dec 2002 10:53:33 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Fri, 6 Dec 2002 10:53:33 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: Brian McCann <bjm1287@ritvax.isc.rit.edu>
Cc: questions@FreeBSD.org
Subject: Re: IPFW & Snort
In-Reply-To: <000c01c29cdb$4f651270$1500a8c0@dogbert>
Message-ID: <20021206104834.O87001-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, 5 Dec 2002, Brian McCann wrote:

> Simple question for you all...but it evades me.  I'm trying to setup a
> box that will monitor a network, but be totally invisible to that
> network, but it needs an IP since it will be using some programs like
> BigBrother and whatnot.  So...my question is...if I use IPFW to block,
> for example, all ports and effectively totally blocking TCP/IP, will
> Snort still be able to capture TCP/IP packets?  Has anyone tried/done

Yes, it will work. sniffer work at ethernet level and ipf/ipfw work at IP
level, so the sniffer "sees" the packets before the firewall .

But that won't make the box invisible. If it has an IP, you can tell it's
there. If you want it to be invisible, don't assign an IP to the box and
disable ARP for the NIC. You can even cut the transmit wires on the
patchcord if you are really paranoid :)


			Fer


> this?
>
> Thanks & Happy Holidays,
> --Brian
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message