Re: Packet filters
Thanks guys :) All I really needed to know was whether the packets would pass through the filters or not. So I'm pretty good to go at this point. >>> Bill Moran <[EMAIL PROTECTED]> 07/23/04 01:50PM >>> "JJB" <[EMAIL PROTECTED]> wrote: > Bill's post is correct only if the firewall defaults to pass all. True. I guess the point that I didn't make clear (because I didn't state it at all) is that the firewall doesn't do anything that isn't clearly stated in the rules. Even when it's set to drop by default, you can see that a rule is added at the end of the ruleset to that effect. > > If your firewall defaults to deny all, then you need a pass all rule > for each interface you want to pass through the firewall. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Bill Moran > Sent: Friday, July 23, 2004 2:21 PM > To: Andy Baran > Cc: [EMAIL PROTECTED] > Subject: Re: Packet filters > > "Andy Baran" <[EMAIL PROTECTED]> wrote: > > This question sounds like it has an easy answer at first but > please bear > > with me. I am going to setup a network tap to monitor network > traffic > > flows. The machine will be running FreeBSD 4.10 and has two NICs. > One > > interface will be used for management and the other will be to > collect > > the flows. Obviously, security is a concern with a machine of > this > > nature so I need to setup a firewall on the management interface. > > However, I need to be absolutely sure that the firewall will not > be > > handling any of the packets on the second interface. I am well > aware > > that IPFW and IPF can both be setup to monitor only a specific > > interface. However, I'd like verification from someone familiar > with > > the code for either that the filter will not touch packets on the > > interface being used as a tap. My apologies if I'm posing this > question > > to the wrong list. If I am please let me know whom I should be > asking. > > Thanks in advance for any replies. > > Since nobody else has answered ... > > While I can't, personally, verify this "at the code level", I can > say from > experience, that ALL packets go through the firewall. Whether or > not the > firewall "handles" and of the packets is simply a matter of your > ruleset. > Using IPFW, if the packets do not match any rules, they'll simply > pass in > one side of the packet filter, and out the other. With the setup > you > describe, you can easily ensure that the packets never get altered > by > having a "via" clause in all your rules. > > For example, if your sniffing interface is fxp0 and your management > interface > is fxp1, then rules similar to: > ipfw add drop tcp from any to any 25 via fxp1 > Will _never_ match a packet that comes in or goes out through the > fxp0 card. > > HTH. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet filters
"JJB" <[EMAIL PROTECTED]> wrote: > Bill's post is correct only if the firewall defaults to pass all. True. I guess the point that I didn't make clear (because I didn't state it at all) is that the firewall doesn't do anything that isn't clearly stated in the rules. Even when it's set to drop by default, you can see that a rule is added at the end of the ruleset to that effect. > > If your firewall defaults to deny all, then you need a pass all rule > for each interface you want to pass through the firewall. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Bill Moran > Sent: Friday, July 23, 2004 2:21 PM > To: Andy Baran > Cc: [EMAIL PROTECTED] > Subject: Re: Packet filters > > "Andy Baran" <[EMAIL PROTECTED]> wrote: > > This question sounds like it has an easy answer at first but > please bear > > with me. I am going to setup a network tap to monitor network > traffic > > flows. The machine will be running FreeBSD 4.10 and has two NICs. > One > > interface will be used for management and the other will be to > collect > > the flows. Obviously, security is a concern with a machine of > this > > nature so I need to setup a firewall on the management interface. > > However, I need to be absolutely sure that the firewall will not > be > > handling any of the packets on the second interface. I am well > aware > > that IPFW and IPF can both be setup to monitor only a specific > > interface. However, I'd like verification from someone familiar > with > > the code for either that the filter will not touch packets on the > > interface being used as a tap. My apologies if I'm posing this > question > > to the wrong list. If I am please let me know whom I should be > asking. > > Thanks in advance for any replies. > > Since nobody else has answered ... > > While I can't, personally, verify this "at the code level", I can > say from > experience, that ALL packets go through the firewall. Whether or > not the > firewall "handles" and of the packets is simply a matter of your > ruleset. > Using IPFW, if the packets do not match any rules, they'll simply > pass in > one side of the packet filter, and out the other. With the setup > you > describe, you can easily ensure that the packets never get altered > by > having a "via" clause in all your rules. > > For example, if your sniffing interface is fxp0 and your management > interface > is fxp1, then rules similar to: > ipfw add drop tcp from any to any 25 via fxp1 > Will _never_ match a packet that comes in or goes out through the > fxp0 card. > > HTH. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Packet filters
Bill's post is correct only if the firewall defaults to pass all. If your firewall defaults to deny all, then you need a pass all rule for each interface you want to pass through the firewall. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Moran Sent: Friday, July 23, 2004 2:21 PM To: Andy Baran Cc: [EMAIL PROTECTED] Subject: Re: Packet filters "Andy Baran" <[EMAIL PROTECTED]> wrote: > This question sounds like it has an easy answer at first but please bear > with me. I am going to setup a network tap to monitor network traffic > flows. The machine will be running FreeBSD 4.10 and has two NICs. One > interface will be used for management and the other will be to collect > the flows. Obviously, security is a concern with a machine of this > nature so I need to setup a firewall on the management interface. > However, I need to be absolutely sure that the firewall will not be > handling any of the packets on the second interface. I am well aware > that IPFW and IPF can both be setup to monitor only a specific > interface. However, I'd like verification from someone familiar with > the code for either that the filter will not touch packets on the > interface being used as a tap. My apologies if I'm posing this question > to the wrong list. If I am please let me know whom I should be asking. > Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this "at the code level", I can say from experience, that ALL packets go through the firewall. Whether or not the firewall "handles" and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a "via" clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet filters
Thanks Bill, I was beginning to think I might never get an answer. >>> Bill Moran <[EMAIL PROTECTED]> 07/23/04 01:21PM >>> "Andy Baran" <[EMAIL PROTECTED]> wrote: > This question sounds like it has an easy answer at first but please bear > with me. I am going to setup a network tap to monitor network traffic > flows. The machine will be running FreeBSD 4.10 and has two NICs. One > interface will be used for management and the other will be to collect > the flows. Obviously, security is a concern with a machine of this > nature so I need to setup a firewall on the management interface. > However, I need to be absolutely sure that the firewall will not be > handling any of the packets on the second interface. I am well aware > that IPFW and IPF can both be setup to monitor only a specific > interface. However, I'd like verification from someone familiar with > the code for either that the filter will not touch packets on the > interface being used as a tap. My apologies if I'm posing this question > to the wrong list. If I am please let me know whom I should be asking. > Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this "at the code level", I can say from experience, that ALL packets go through the firewall. Whether or not the firewall "handles" and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a "via" clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet filters
"Andy Baran" <[EMAIL PROTECTED]> wrote: > This question sounds like it has an easy answer at first but please bear > with me. I am going to setup a network tap to monitor network traffic > flows. The machine will be running FreeBSD 4.10 and has two NICs. One > interface will be used for management and the other will be to collect > the flows. Obviously, security is a concern with a machine of this > nature so I need to setup a firewall on the management interface. > However, I need to be absolutely sure that the firewall will not be > handling any of the packets on the second interface. I am well aware > that IPFW and IPF can both be setup to monitor only a specific > interface. However, I'd like verification from someone familiar with > the code for either that the filter will not touch packets on the > interface being used as a tap. My apologies if I'm posing this question > to the wrong list. If I am please let me know whom I should be asking. > Thanks in advance for any replies. Since nobody else has answered ... While I can't, personally, verify this "at the code level", I can say from experience, that ALL packets go through the firewall. Whether or not the firewall "handles" and of the packets is simply a matter of your ruleset. Using IPFW, if the packets do not match any rules, they'll simply pass in one side of the packet filter, and out the other. With the setup you describe, you can easily ensure that the packets never get altered by having a "via" clause in all your rules. For example, if your sniffing interface is fxp0 and your management interface is fxp1, then rules similar to: ipfw add drop tcp from any to any 25 via fxp1 Will _never_ match a packet that comes in or goes out through the fxp0 card. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"