From: allen <ae...@pr...> - 2003-02-01 05:57:28
|
On Friday 31 January 2003 10:46 pm, velbloud wrote: > Hi guys, > I was just thinking, I am planning to use Hogwash to > protect my webserver, but I am little bit reluctant to > use one more machine for it. I have a iptables > firewall, but I wasn't succesfull in putting the > Hogwash there yet (some libipq-missing type of errors > when building it but I keep trying). So I was just > wondering...would it be theoretically possible to > install three network cards (I've got enough of those) > in the webserver machine, have the Hog watch let's say > eth0 and eth1 and pass the OK-packets to the eth3? One > of the problems is, can you convince Apache to serve > files and to listen only on eth3? Or is it entirely > stupid? > Libor > PS. I am a newbie so please excuse any questions with > obvious answers... Well... First, a word of caution. Your email is the first to appear on the list in quite some time. I do not now how much the project is being used. I think at one time up to a whole entire 6 people were using Hogwash-IPTables. These people were all fairly skilled. Seems even the mainstream hogwash project is very slow going. Some events have also taken place since hogwash and hogwash-iptables came out quite a while ago. For example, there have been two people claiming to have updated Snort itself to provide Regular Hogwash Functionality, and one person has claimed to have updated Snort itself to provide for IPTables. I have not had the opportunity to fiddle around with Snort enough since then to know if any of what I have just said has actually been incorporated into Snort or not. -------- Now then ---------- Hogwash-IPTables was brought about exactly for the reasons you mentioned, don't want another machine just to "Hogwash", and "What if I want multiple adapters ?". You need "libipq" which comes with IPTables and should be with your linux distribution somewhere. The Hogwash-IPTables daemon must be launched, and then any rules you write for IPTables that say -J QUEUE will cause such traffic to appear in and be filtered by Hogwash-IPTables daemon. In a sense, it is that simple. < evil grin > And, good news, Hogwash-IPTables was filtering out code red all day long when I was debugging it. Personally, I would not want to try and fiddle Hogwash itself into some odd loopback thing with the three adapters like you mentioned. Apache tends to want to bind to either ALL or a specific IP Address. I have not tried to bind it to an adapter, per se. Maybe it will do that. I don't remember seeing that. You might can try using just two adapters along the lines you where thinking also with just Hogwash. Adapters can be "multi-homed", the "devices" will appear in ifconfig output like, eth0, eth0:1, eth0:2... each with a different IP and subnet, etc., FYI, you can do with two what you're thinking with three. I don't know if the virtual adapters will catch the looped data internally or if the data will have to fly off to a hub and get reflected back. I'd have to investigate. Personally, I would first bring up your Hogwash-IPTables, and also I would look at the latest Snort and see if I could find the improvements in it that I mentioned. We are low activity here, but somehow we haven't died. ;) And finally, you may have to edit something to point directly to your libipq.so wherever it is if you actually have it installed. What did I do, just use a shell script for the build ? I can't even remember now... -AEF |