Re: More questions on sr sync driver, packet filters, and altq
On Sun, Oct 29, 2006 at 03:11:04AM -, John Levine wrote: I am putting together a FreeBSD router to replace a tired old BSD/OS one. My external line is a T1, so I got a Wanic 400 on ebay. I have a /24 that is about half full so I don't do NAT and don't expect to need to do so. [snip packet filtering stuff] I have found openbsd (http://www.openbsd.org) suits this purpose admirably. It's small, secure by default, and does all the filtering/bandwidth shaping you could ask for. I use the combo of openbsd for routers and freebsd for servers/desktop OS. just my 0.02.. -- John - lists @ reiteration . net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
More questions on sr sync driver, packet filters, and altq
I am putting together a FreeBSD router to replace a tired old BSD/OS one. My external line is a T1, so I got a Wanic 400 on ebay. I have a /24 that is about half full so I don't do NAT and don't expect to need to do so. I'm still trying to figure out the best way to do the packet filtering. Since there are a few Windows boxes on my network, the main thing I want to do is to filter out nasty stuff, but I would also like to do a little policy routing. In particular, I have some VoIP equipment,and I'd like to give its traffic priority. Identifying the traffic is easy, since the boxes have fixed IP addresses, but how do I do the priority. The altq man pages say that each driver has to support altq, and the sr driver doesn't. Can I do this with netgraph? Is there something else I'm missing? TIA, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet filters
Andy Baran [EMAIL PROTECTED] wrote: This question sounds like it has an easy answer at first but please bear with me. I am going to setup a network tap to monitor network traffic flows. The machine will be running FreeBSD 4.10 and has two NICs. One interface will be used for management and the other will be to collect the flows. Obviously, security is a concern with a machine of this nature so I need to setup a firewall on the management interface. However, I need to be absolutely sure that the firewall will not be handling any of the packets on the second interface. I am well aware that IPFW and IPF can both be setup to monitor only a specific interface. However, I'd like verification from someone familiar with the code for either that the filter will not touch packets on the interface being used as a tap. My apologies if I'm posing this question to the wrong list. If I am please let me know whom I should be asking. Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this at the code level, I can say from experience, that ALL packets go through the firewall. Whether or not the firewall handles and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a via clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet filters
Thanks Bill, I was beginning to think I might never get an answer. Bill Moran [EMAIL PROTECTED] 07/23/04 01:21PM Andy Baran [EMAIL PROTECTED] wrote: This question sounds like it has an easy answer at first but please bear with me. I am going to setup a network tap to monitor network traffic flows. The machine will be running FreeBSD 4.10 and has two NICs. One interface will be used for management and the other will be to collect the flows. Obviously, security is a concern with a machine of this nature so I need to setup a firewall on the management interface. However, I need to be absolutely sure that the firewall will not be handling any of the packets on the second interface. I am well aware that IPFW and IPF can both be setup to monitor only a specific interface. However, I'd like verification from someone familiar with the code for either that the filter will not touch packets on the interface being used as a tap. My apologies if I'm posing this question to the wrong list. If I am please let me know whom I should be asking. Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this at the code level, I can say from experience, that ALL packets go through the firewall. Whether or not the firewall handles and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a via clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Packet filters
Bill's post is correct only if the firewall defaults to pass all. If your firewall defaults to deny all, then you need a pass all rule for each interface you want to pass through the firewall. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Moran Sent: Friday, July 23, 2004 2:21 PM To: Andy Baran Cc: [EMAIL PROTECTED] Subject: Re: Packet filters Andy Baran [EMAIL PROTECTED] wrote: This question sounds like it has an easy answer at first but please bear with me. I am going to setup a network tap to monitor network traffic flows. The machine will be running FreeBSD 4.10 and has two NICs. One interface will be used for management and the other will be to collect the flows. Obviously, security is a concern with a machine of this nature so I need to setup a firewall on the management interface. However, I need to be absolutely sure that the firewall will not be handling any of the packets on the second interface. I am well aware that IPFW and IPF can both be setup to monitor only a specific interface. However, I'd like verification from someone familiar with the code for either that the filter will not touch packets on the interface being used as a tap. My apologies if I'm posing this question to the wrong list. If I am please let me know whom I should be asking. Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this at the code level, I can say from experience, that ALL packets go through the firewall. Whether or not the firewall handles and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a via clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Packet filters
This question sounds like it has an easy answer at first but please bear with me. I am going to setup a network tap to monitor network traffic flows. The machine will be running FreeBSD 4.10 and has two NICs. One interface will be used for management and the other will be to collect the flows. Obviously, security is a concern with a machine of this nature so I need to setup a firewall on the management interface. However, I need to be absolutely sure that the firewall will not be handling any of the packets on the second interface. I am well aware that IPFW and IPF can both be setup to monitor only a specific interface. However, I'd like verification from someone familiar with the code for either that the filter will not touch packets on the interface being used as a tap. My apologies if I'm posing this question to the wrong list. If I am please let me know whom I should be asking. Thanks in advance for any replies. - +Andy Baran ... [EMAIL PROTECTED] +DePaul Computer Security Response Team http://security.depaul.edu --- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]