Barbish3 at adelphia.net
Fri Jul 23 11:42:17 PDT 2004
Bill's post is correct only if the firewall defaults to pass all.
If your firewall defaults to deny all, then you need a pass all rule
for each interface you want to pass through the firewall.
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Bill Moran
Sent: Friday, July 23, 2004 2:21 PM
To: Andy Baran
Cc: freebsd-questions at freebsd.org
Subject: Re: Packet filters
"Andy Baran" <abaran1 at depaul.edu> wrote:
> This question sounds like it has an easy answer at first but
> with me. I am going to setup a network tap to monitor network
> flows. The machine will be running FreeBSD 4.10 and has two NICs.
> interface will be used for management and the other will be to
> the flows. Obviously, security is a concern with a machine of
> nature so I need to setup a firewall on the management interface.
> However, I need to be absolutely sure that the firewall will not
> handling any of the packets on the second interface. I am well
> that IPFW and IPF can both be setup to monitor only a specific
> interface. However, I'd like verification from someone familiar
> the code for either that the filter will not touch packets on the
> interface being used as a tap. My apologies if I'm posing this
> to the wrong list. If I am please let me know whom I should be
> Thanks in advance for any replies.
Since nobody else has answered ...
While I can't, personally, verify this "at the code level", I can
experience, that ALL packets go through the firewall. Whether or
firewall "handles" and of the packets is simply a matter of your
Using IPFW, if the packets do not match any rules, they'll simply
one side of the packet filter, and out the other. With the setup
describe, you can easily ensure that the packets never get altered
having a "via" clause in all your rules.
For example, if your sniffing interface is fxp0 and your management
is fxp1, then rules similar to:
ipfw add drop tcp from any to any 25 via fxp1
Will _never_ match a packet that comes in or goes out through the
freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions