Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Jul 2004 14:50:44 -0400
From:      Bill Moran <wmoran@potentialtech.com>
To:        Barbish3@adelphia.net
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Packet filters
Message-ID:  <20040723145044.2a627c38.wmoran@potentialtech.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEJDGHAA.Barbish3@adelphia.net>
References:  <20040723142122.4f7bfcd7.wmoran@potentialtech.com> <MIEPLLIBMLEEABPDBIEGMEJDGHAA.Barbish3@adelphia.net>

next in thread | previous in thread | raw e-mail | index | archive | help
"JJB" <Barbish3@adelphia.net> wrote:
> Bill's post is correct only if the firewall defaults to pass all.

True.

I guess the point that I didn't make clear (because I didn't state it at
all) is that the firewall doesn't do anything that isn't clearly stated
in the rules.  Even when it's set to drop by default, you can see that
a rule is added at the end of the ruleset to that effect.

> 
> If your firewall defaults to deny all, then you need a pass all rule
> for each interface you want to pass through the firewall.
> 
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Bill Moran
> Sent: Friday, July 23, 2004 2:21 PM
> To: Andy Baran
> Cc: freebsd-questions@freebsd.org
> Subject: Re: Packet filters
> 
> "Andy Baran" <abaran1@depaul.edu> wrote:
> > This question sounds like it has an easy answer at first but
> please bear
> > with me.  I am going to setup a network tap to monitor network
> traffic
> > flows.  The machine will be running FreeBSD 4.10 and has two NICs.
> One
> > interface will be used for management and the other will be to
> collect
> > the flows.  Obviously, security is a concern with a machine of
> this
> > nature so I need to setup a firewall on the management interface.
> > However, I need to be absolutely sure that the firewall will not
> be
> > handling any of the packets on the second interface.  I am well
> aware
> > that IPFW and IPF can both be setup to monitor only a specific
> > interface.  However, I'd like verification from someone familiar
> with
> > the code for either that the filter will not touch packets on the
> > interface being used as a tap.  My apologies if I'm posing this
> question
> > to the wrong list.  If I am please let me know whom I should be
> asking.
> > Thanks in advance for any replies.
> 
> Since nobody else has answered ...
> 
> While I can't, personally, verify this "at the code level", I can
> say from
> experience, that ALL packets go through the firewall.  Whether or
> not the
> firewall "handles" and of the packets is simply a matter of your
> ruleset.
> Using IPFW, if the packets do not match any rules, they'll simply
> pass in
> one side of the packet filter, and out the other.  With the setup
> you
> describe, you can easily ensure that the packets never get altered
> by
> having a "via" clause in all your rules.
> 
> For example, if your sniffing interface is fxp0 and your management
> interface
> is fxp1, then rules similar to:
> ipfw add drop tcp from any to any 25 via fxp1
> Will _never_ match a packet that comes in or goes out through the
> fxp0 card.
> 
> HTH.
> 
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040723145044.2a627c38.wmoran>