Packet filters
Andy Baran
abaran1 at depaul.edu
Fri Jul 23 12:02:54 PDT 2004
Thanks guys :) All I really needed to know was whether the packets would
pass through the filters or not. So I'm pretty good to go at this
point.
>>> Bill Moran <wmoran at potentialtech.com> 07/23/04 01:50PM >>>
"JJB" <Barbish3 at adelphia.net> wrote:
> Bill's post is correct only if the firewall defaults to pass all.
True.
I guess the point that I didn't make clear (because I didn't state it
at
all) is that the firewall doesn't do anything that isn't clearly
stated
in the rules. Even when it's set to drop by default, you can see that
a rule is added at the end of the ruleset to that effect.
>
> If your firewall defaults to deny all, then you need a pass all rule
> for each interface you want to pass through the firewall.
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Bill Moran
> Sent: Friday, July 23, 2004 2:21 PM
> To: Andy Baran
> Cc: freebsd-questions at freebsd.org
> Subject: Re: Packet filters
>
> "Andy Baran" <abaran1 at depaul.edu> wrote:
> > This question sounds like it has an easy answer at first but
> please bear
> > with me. I am going to setup a network tap to monitor network
> traffic
> > flows. The machine will be running FreeBSD 4.10 and has two NICs.
> One
> > interface will be used for management and the other will be to
> collect
> > the flows. Obviously, security is a concern with a machine of
> this
> > nature so I need to setup a firewall on the management interface.
> > However, I need to be absolutely sure that the firewall will not
> be
> > handling any of the packets on the second interface. I am well
> aware
> > that IPFW and IPF can both be setup to monitor only a specific
> > interface. However, I'd like verification from someone familiar
> with
> > the code for either that the filter will not touch packets on the
> > interface being used as a tap. My apologies if I'm posing this
> question
> > to the wrong list. If I am please let me know whom I should be
> asking.
> > Thanks in advance for any replies.
>
> Since nobody else has answered ...
>
> While I can't, personally, verify this "at the code level", I can
> say from
> experience, that ALL packets go through the firewall. Whether or
> not the
> firewall "handles" and of the packets is simply a matter of your
> ruleset.
> Using IPFW, if the packets do not match any rules, they'll simply
> pass in
> one side of the packet filter, and out the other. With the setup
> you
> describe, you can easily ensure that the packets never get altered
> by
> having a "via" clause in all your rules.
>
> For example, if your sniffing interface is fxp0 and your management
> interface
> is fxp1, then rules similar to:
> ipfw add drop tcp from any to any 25 via fxp1
> Will _never_ match a packet that comes in or goes out through the
> fxp0 card.
>
> HTH.
>
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list