Bridging and port mirroring

Chuck Swiger cswiger at mac.com
Thu Sep 13 12:35:22 PDT 2007


On Sep 13, 2007, at 9:29 AM, Brian McCann wrote:
> I've got a server with two nics configured for bridging and running
> bunches of ipfw rules.  I'd like to add a 3rd NIC and have it mirror
> the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I
> can run an IDS on another server.  Yes, I know that has the potential
> to overload nic3 if there is a lot of traffic going in and out of
> nic2, but that's not an issue for me.
>
> Has anyone done this before, or know how to do this?

You might get some traction from the "ipfw tee" command, although  
that is intended for use together with a divert socket (ie, such as  
bouncing the packets through natd).  Otherwise, try looking into the  
netgraph ng_tee node:

"DESCRIPTION
      The tee node type has a purpose similar to the tee(1) command.   
Tee nodes
      are useful for debugging or ``snooping'' on a connection  
between two net-
      graph nodes.  Tee nodes have four hooks, right, left,  
right2left, and
      left2right.  All data received on right is sent unmodified to  
both hooks
      left and right2left.  Similarly, all data received on left is  
sent unmod-
      ified to both right and left2right."

-- 
-Chuck



More information about the freebsd-questions mailing list