On Thu, 5 Dec 2002, Brian McCann wrote: > Simple question for you all...but it evades me. I'm trying to setup a > box that will monitor a network, but be totally invisible to that > network, but it needs an IP since it will be using some programs like > BigBrother and whatnot. So...my question is...if I use IPFW to block, > for example, all ports and effectively totally blocking TCP/IP, will > Snort still be able to capture TCP/IP packets? Has anyone tried/done
Yes, it will work. sniffer work at ethernet level and ipf/ipfw work at IP level, so the sniffer "sees" the packets before the firewall . But that won't make the box invisible. If it has an IP, you can tell it's there. If you want it to be invisible, don't assign an IP to the box and disable ARP for the NIC. You can even cut the transmit wires on the patchcord if you are really paranoid :) Fer > this? > > Thanks & Happy Holidays, > --Brian > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message