Date: Fri, 23 Jul 2004 13:38:04 -0500 From: "Andy Baran" <abaran1@depaul.edu> To: <wmoran@potentialtech.com> Cc: freebsd-questions@freebsd.org Subject: Re: Packet filters Message-ID: <s10114d5.087@gwia-loop-1.srv.depaul.edu>
next in thread | raw e-mail | index | archive | help
Thanks Bill, I was beginning to think I might never get an answer. >>> Bill Moran <wmoran@potentialtech.com> 07/23/04 01:21PM >>> "Andy Baran" <abaran1@depaul.edu> wrote: > This question sounds like it has an easy answer at first but please bear > with me. I am going to setup a network tap to monitor network traffic > flows. The machine will be running FreeBSD 4.10 and has two NICs. One > interface will be used for management and the other will be to collect > the flows. Obviously, security is a concern with a machine of this > nature so I need to setup a firewall on the management interface. > However, I need to be absolutely sure that the firewall will not be > handling any of the packets on the second interface. I am well aware > that IPFW and IPF can both be setup to monitor only a specific > interface. However, I'd like verification from someone familiar with > the code for either that the filter will not touch packets on the > interface being used as a tap. My apologies if I'm posing this question > to the wrong list. If I am please let me know whom I should be asking. > Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this "at the code level", I can say from experience, that ALL packets go through the firewall. Whether or not the firewall "handles" and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a "via" clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s10114d5.087>