From owner-freebsd-questions Fri Dec 6 10:28: 5 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7A5837B401 for ; Fri, 6 Dec 2002 10:28:03 -0800 (PST) Received: from vms1.rit.edu (vms1.isc.rit.edu [129.21.3.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 603AF43ECD for ; Fri, 6 Dec 2002 10:27:59 -0800 (PST) (envelope-from bjm1287@ritvax.isc.rit.edu) Received: from dogbert ([129.21.129.47]) by ritvax.isc.rit.edu (PMDF V5.2-32 #40294) with ESMTPA id <01KPPOVMYN10R9FVA4@ritvax.isc.rit.edu> for questions@FreeBSD.org; Fri, 6 Dec 2002 13:26:36 EST Date: Fri, 06 Dec 2002 13:26:03 -0500 From: Brian McCann Subject: RE: IPFW & Snort In-reply-to: <60998.10.10.10.7.1039156482.squirrel@webmail.linuxpowered.net> To: questions@FreeBSD.org Message-id: <002a01c29d54$ef6ae910$1500a8c0@dogbert> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailer: Microsoft Outlook, Build 10.0.2616 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG That would work for my home setup great, but I don't/can't run NAT on the box that this must be done on...it's in a "Security Lab" for RIT, where students in a class will be "hacking" into machines other students set up...and all this machine will be doing is watching everything that goes on. Thanks! --Brian -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of nate Sent: Friday, December 06, 2002 1:35 AM To: questions@FreeBSD.org Subject: Re: IPFW & Snort Brian McCann said: > Simple question for you all...but it evades me. I'm trying to setup a > box that will monitor a network, but be totally invisible to that > network, but it needs an IP since it will be using some programs like > BigBrother and whatnot. So...my question is...if I use IPFW to block, > for example, all ports and effectively totally blocking TCP/IP, will > Snort still be able to capture TCP/IP packets? Has anyone tried/done > this? I reccomend just using 3 NIC interfaces. run 2 of em in bridged mode, e.g. my home network is protected by a freebsd box running 4 NICs, 1 management(inside internal firewall), NICs 2 and 3 are bridging, NIC 2 is the firewall, NIC 3 is snort, NIC 4 is not being used. this way since all traffic goes accross 2 interfaces I can run snort on the "internal" one so it has no chance of detecting what is dropped on the "external" one. then behind that machine I have another machine doing the NAT. works great. nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message