Re: Bridging and port mirroring
On Thu, Sep 13, 2007 at 12:29:30PM -0400, Brian McCann wrote: > I've poked around on the web, but come up empty. And I find it hard > to believe there's not a simple way to do this, if it hasn't been done > before. > > I've got a server with two nics configured for bridging and running > bunches of ipfw rules. I'd like to add a 3rd NIC and have it mirror > the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I > can run an IDS on another server. Yes, I know that has the potential > to overload nic3 if there is a lot of traffic going in and out of > nic2, but that's not an issue for me. > > Has anyone done this before, or know how to do this? Are you using if_bridge? If so, it supports creating span interfaces. It's easy to set up, and it almost does what you describe (instead of only showing traffic into/out of nic2, it's going to show all traffic on bridge0.) Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bridging and port mirroring
On Sep 13, 2007, at 9:29 AM, Brian McCann wrote: I've got a server with two nics configured for bridging and running bunches of ipfw rules. I'd like to add a 3rd NIC and have it mirror the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I can run an IDS on another server. Yes, I know that has the potential to overload nic3 if there is a lot of traffic going in and out of nic2, but that's not an issue for me. Has anyone done this before, or know how to do this? You might get some traction from the "ipfw tee" command, although that is intended for use together with a divert socket (ie, such as bouncing the packets through natd). Otherwise, try looking into the netgraph ng_tee node: "DESCRIPTION The tee node type has a purpose similar to the tee(1) command. Tee nodes are useful for debugging or ``snooping'' on a connection between two net- graph nodes. Tee nodes have four hooks, right, left, right2left, and left2right. All data received on right is sent unmodified to both hooks left and right2left. Similarly, all data received on left is sent unmod- ified to both right and left2right." -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Bridging and port mirroring
I've poked around on the web, but come up empty. And I find it hard to believe there's not a simple way to do this, if it hasn't been done before. I've got a server with two nics configured for bridging and running bunches of ipfw rules. I'd like to add a 3rd NIC and have it mirror the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I can run an IDS on another server. Yes, I know that has the potential to overload nic3 if there is a lot of traffic going in and out of nic2, but that's not an issue for me. Has anyone done this before, or know how to do this? Thanks, --Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
