Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 06 Dec 2002 13:26:03 -0500
From:      Brian McCann <bjm1287@ritvax.isc.rit.edu>
To:        questions@FreeBSD.org
Subject:   RE: IPFW & Snort
Message-ID:  <002a01c29d54$ef6ae910$1500a8c0@dogbert>
In-Reply-To: <60998.10.10.10.7.1039156482.squirrel@webmail.linuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
That would work for my home setup great, but I don't/can't run NAT on
the box that this must be done on...it's in a "Security Lab" for RIT,
where students in a class will be "hacking" into machines other students
set up...and all this machine will be doing is watching everything that
goes on.

Thanks!
--Brian

-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of nate
Sent: Friday, December 06, 2002 1:35 AM
To: questions@FreeBSD.org
Subject: Re: IPFW & Snort


Brian McCann said:
> Simple question for you all...but it evades me.  I'm trying to setup a

> box that will monitor a network, but be totally invisible to that 
> network, but it needs an IP since it will be using some programs like 
> BigBrother and whatnot.  So...my question is...if I use IPFW to block,

> for example, all ports and effectively totally blocking TCP/IP, will 
> Snort still be able to capture TCP/IP packets?  Has anyone tried/done 
> this?

I reccomend just using 3 NIC interfaces. run 2 of em in bridged mode,
e.g. my home network is protected by a freebsd box running 4 NICs, 1
management(inside internal firewall), NICs 2 and 3 are bridging, NIC 2
is the firewall, NIC 3 is snort, NIC 4 is not being used. this way since
all traffic goes accross 2 interfaces I can run snort on the "internal"
one so it has no chance of detecting what is dropped on the "external"
one. then behind that machine I have another machine doing the NAT.

works great.

nate




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002a01c29d54$ef6ae910$1500a8c0>