I haven't explored iptables in bridge/layer 2 mode, but there is no fundamental reason you can't packet sniff or firewall traffic in bridge mode. The traffic has to pass through your kernel.
If you were asking about FreeBSD and ipfw, I'd say yes, just look into the layer 2 filter points. So I'd recommend digging into the iptables documentation for something similar. Also not familiar with snort, but with tcpdump, I'd specify the interface and I'm pretty sure it would work as it is capturing at layer 2 (or am I thinking of Wireshark?). -Jed > On Jun 25, 2015, at 8:56 PM, Nick Gyurov <[email protected]> wrote: > > Bridging works on OSI levels 1 & 2, IP is a level 4 protocol, so IP > services - not so much. > I'm not sure what can be done with snort, no experience with it. > - > Regards, > Nick > > >> On Fri, Jun 26, 2015 at 6:51 AM, Robin Kipp <[email protected]> wrote: >> Hi all, >> I just successfully installed Debian 8 on a Net6501. Basically, I’d like to >> use this device as a transparent network gateway between my computers / >> network appliances and the router. The reason I’d like to do this is to use >> an IDS system such as Snort for security purposes and to monitor certain >> aspects of my personal web traffic. >> To accomplish this, I’ve now configured a network bridge named br0 and added >> all of the ethernet interfaces as members. This seems to work pretty well as >> far as I can tell, I have eth0 hooked up to the router and my other machines >> connected to the 3 remaining ports. Of course, this means that the Net6501 >> is pretty much transparent now and does not, for example, show up as a >> gateway when running a traceroute command to an external host. >> I generally like this a lot and think it’s quite sensible to pass things >> like DHCP and NAT on to the router, rather than installing a separate DHCP >> server on the Net6501 and using iptables to NAT between the Soekris box and >> the router’s subnet. Since I’m doing this for the very first time, however, >> I’m wondering whether I’m on the right path, or if such a setup would impose >> certain limitations that I might not be aware of. >> For example, can I use a tool like Snort on the Net6501 and analyze all the >> traffic passing through the Net6501, or could I be facing any issues when >> doing this on a bridged network? >> Also, I’m guessing that with this approach, any routing / firewalling of >> traffic (e.g. by using iptables) is out of the question, right? For example, >> I would think that it’s probably not possible to use iptables to block >> traffic originating from certain IP addresses, or to route certain traffic >> through a configured VPN tunnel, etc… >> If any of you guys have more experience with network bridges, I’d be very >> happy if you could answer my questions and / or share your observations with >> me. Like I said I’m doing this for the first time, so there may well be >> things that I haven’t even thought of yet! :-) >> Thanks a lot! >> Robin >> _______________________________________________ >> Soekris-tech mailing list >> [email protected] >> http://lists.soekris.com/mailman/listinfo/soekris-tech > _______________________________________________ > Soekris-tech mailing list > [email protected] > http://lists.soekris.com/mailman/listinfo/soekris-tech > _______________________________________________ Soekris-tech mailing list [email protected] http://lists.soekris.com/mailman/listinfo/soekris-tech
