Date: Fri, 23 Jul 2004 14:50:44 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Barbish3@adelphia.net Cc: freebsd-questions@freebsd.org Subject: Re: Packet filters Message-ID: <20040723145044.2a627c38.wmoran@potentialtech.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEJDGHAA.Barbish3@adelphia.net> References: <20040723142122.4f7bfcd7.wmoran@potentialtech.com> <MIEPLLIBMLEEABPDBIEGMEJDGHAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"JJB" <Barbish3@adelphia.net> wrote: > Bill's post is correct only if the firewall defaults to pass all. True. I guess the point that I didn't make clear (because I didn't state it at all) is that the firewall doesn't do anything that isn't clearly stated in the rules. Even when it's set to drop by default, you can see that a rule is added at the end of the ruleset to that effect. > > If your firewall defaults to deny all, then you need a pass all rule > for each interface you want to pass through the firewall. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Bill Moran > Sent: Friday, July 23, 2004 2:21 PM > To: Andy Baran > Cc: freebsd-questions@freebsd.org > Subject: Re: Packet filters > > "Andy Baran" <abaran1@depaul.edu> wrote: > > This question sounds like it has an easy answer at first but > please bear > > with me. I am going to setup a network tap to monitor network > traffic > > flows. The machine will be running FreeBSD 4.10 and has two NICs. > One > > interface will be used for management and the other will be to > collect > > the flows. Obviously, security is a concern with a machine of > this > > nature so I need to setup a firewall on the management interface. > > However, I need to be absolutely sure that the firewall will not > be > > handling any of the packets on the second interface. I am well > aware > > that IPFW and IPF can both be setup to monitor only a specific > > interface. However, I'd like verification from someone familiar > with > > the code for either that the filter will not touch packets on the > > interface being used as a tap. My apologies if I'm posing this > question > > to the wrong list. If I am please let me know whom I should be > asking. > > Thanks in advance for any replies. > > Since nobody else has answered ... > > While I can't, personally, verify this "at the code level", I can > say from > experience, that ALL packets go through the firewall. Whether or > not the > firewall "handles" and of the packets is simply a matter of your > ruleset. > Using IPFW, if the packets do not match any rules, they'll simply > pass in > one side of the packet filter, and out the other. With the setup > you > describe, you can easily ensure that the packets never get altered > by > having a "via" clause in all your rules. > > For example, if your sniffing interface is fxp0 and your management > interface > is fxp1, then rules similar to: > ipfw add drop tcp from any to any 25 via fxp1 > Will _never_ match a packet that comes in or goes out through the > fxp0 card. > > HTH. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040723145044.2a627c38.wmoran>