Date: Fri, 6 Dec 2002 10:53:33 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: Brian McCann <bjm1287@ritvax.isc.rit.edu> Cc: questions@FreeBSD.org Subject: Re: IPFW & Snort Message-ID: <20021206104834.O87001-100000@cactus.fi.uba.ar> In-Reply-To: <000c01c29cdb$4f651270$1500a8c0@dogbert>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 5 Dec 2002, Brian McCann wrote: > Simple question for you all...but it evades me. I'm trying to setup a > box that will monitor a network, but be totally invisible to that > network, but it needs an IP since it will be using some programs like > BigBrother and whatnot. So...my question is...if I use IPFW to block, > for example, all ports and effectively totally blocking TCP/IP, will > Snort still be able to capture TCP/IP packets? Has anyone tried/done Yes, it will work. sniffer work at ethernet level and ipf/ipfw work at IP level, so the sniffer "sees" the packets before the firewall . But that won't make the box invisible. If it has an IP, you can tell it's there. If you want it to be invisible, don't assign an IP to the box and disable ARP for the NIC. You can even cut the transmit wires on the patchcord if you are really paranoid :) Fer > this? > > Thanks & Happy Holidays, > --Brian > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021206104834.O87001-100000>