This is sort of like what I had in mind, although for simplicity I'd probably just bring up a temporary IP address on the internal interface, and send the warning from there. Unless that 3rd NIC was on a separate network (unlikely) then it probably wouldn't make much difference from a security stand point if it were the nic passing all of the traffic, or a different nic on the same subnet. As an added benefit (if you have enough addresses) you might bring up that nic with a random IP address, from a small range of say 3 or 4, to make it a little harder to predict an address you'd be able to attach to that belongs to the firewall.How about a third network card in the box and if you need to send a warning, have the system bring that NIC on-line and send out a warning, then take the NIC off-line again?
Snort for network ID and something like your hidden partition suggestion, or even Samhain or Tripwire would work well for local ID. It's just something we didn't go to the trouble to implement, given the box's complete lack of direct network accessibility.
Aaron S. Joyner -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
