From owner-freebsd-questions@FreeBSD.ORG  Fri Jul 23 18:50:57 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4CF4916A4CE
	for <freebsd-questions@freebsd.org>;
	Fri, 23 Jul 2004 18:50:57 +0000 (GMT)
Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net
	[66.167.251.6])	by mx1.FreeBSD.org (Postfix) with ESMTP id 9E89243D54
	for <freebsd-questions@freebsd.org>;
	Fri, 23 Jul 2004 18:50:54 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from working.potentialtech.com
	(pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64])
	by internet.potentialtech.com (Postfix) with ESMTP id 57FC169A39;
	Fri, 23 Jul 2004 14:50:49 -0400 (EDT)
Date: Fri, 23 Jul 2004 14:50:44 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: Barbish3@adelphia.net
Message-Id: <20040723145044.2a627c38.wmoran@potentialtech.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEJDGHAA.Barbish3@adelphia.net>
References: <20040723142122.4f7bfcd7.wmoran@potentialtech.com>
	<MIEPLLIBMLEEABPDBIEGMEJDGHAA.Barbish3@adelphia.net>
Organization: Potential Technologies
X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: abaran1@depaul.edu
cc: freebsd-questions@freebsd.org
Subject: Re: Packet filters
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2004 18:50:57 -0000

"JJB" <Barbish3@adelphia.net> wrote:
> Bill's post is correct only if the firewall defaults to pass all.

True.

I guess the point that I didn't make clear (because I didn't state it at
all) is that the firewall doesn't do anything that isn't clearly stated
in the rules.  Even when it's set to drop by default, you can see that
a rule is added at the end of the ruleset to that effect.

> 
> If your firewall defaults to deny all, then you need a pass all rule
> for each interface you want to pass through the firewall.
> 
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Bill Moran
> Sent: Friday, July 23, 2004 2:21 PM
> To: Andy Baran
> Cc: freebsd-questions@freebsd.org
> Subject: Re: Packet filters
> 
> "Andy Baran" <abaran1@depaul.edu> wrote:
> > This question sounds like it has an easy answer at first but
> please bear
> > with me.  I am going to setup a network tap to monitor network
> traffic
> > flows.  The machine will be running FreeBSD 4.10 and has two NICs.
> One
> > interface will be used for management and the other will be to
> collect
> > the flows.  Obviously, security is a concern with a machine of
> this
> > nature so I need to setup a firewall on the management interface.
> > However, I need to be absolutely sure that the firewall will not
> be
> > handling any of the packets on the second interface.  I am well
> aware
> > that IPFW and IPF can both be setup to monitor only a specific
> > interface.  However, I'd like verification from someone familiar
> with
> > the code for either that the filter will not touch packets on the
> > interface being used as a tap.  My apologies if I'm posing this
> question
> > to the wrong list.  If I am please let me know whom I should be
> asking.
> > Thanks in advance for any replies.
> 
> Since nobody else has answered ...
> 
> While I can't, personally, verify this "at the code level", I can
> say from
> experience, that ALL packets go through the firewall.  Whether or
> not the
> firewall "handles" and of the packets is simply a matter of your
> ruleset.
> Using IPFW, if the packets do not match any rules, they'll simply
> pass in
> one side of the packet filter, and out the other.  With the setup
> you
> describe, you can easily ensure that the packets never get altered
> by
> having a "via" clause in all your rules.
> 
> For example, if your sniffing interface is fxp0 and your management
> interface
> is fxp1, then rules similar to:
> ipfw add drop tcp from any to any 25 via fxp1
> Will _never_ match a packet that comes in or goes out through the
> fxp0 card.
> 
> HTH.
> 
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com