Menu
▾
▴
Re: [Snort-inline-users] IPFW FreeBSD 4.10 invisible bridge
|
From: Nick R. <ni...@ro...> - 2005-01-04 00:47:51
|
On Mon, 3 Jan 2005, Christopher Black wrote: > On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: >> On Mon, 3 Jan 2005, Christopher Black wrote: >> >>> List, >>> >>> I'm running freebsd 4.10 on a system configured with no IPs, briding >>> between two interfaces. The network works fine if diverting is >>> disabled, but when packets are diverted to snort_inline, snort never >>> appears to recieve them. Has anyone seen this before? >> >> What is the output of: >> >> root# sysctl net.link.ether.bridge.ipfw >> >> >> Nick Rogness <ni...@ro...> >> - >> How many people here have telekenetic powers? Raise my hand. >> -Emo Philips > > bash-2.05b# sysctl -a | grep net.link.ether.bridge > net.link.ether.bridge_cfg: sis0,sis1 > net.link.ether.bridge: 1 > net.link.ether.bridge_ipfw: 1 > ... > > The bridging part itself is working fine, until I divert the packets to > snort. The one command 'ipfw add divert 6666 all from any to any' (6666 > being the port I put snort on) causes a complete loss of throughput. > Snort is never receiving them as debug statements in the main loop of > inline.c report. Is there a special bridging (as opposed to inline) > mode to enable? No, snort_inline is unaware of anything in the lower layers, e.g. bridging vs routing. The divert socket is just a socket, not much different than a standard TCP socket. I've never done briding+IPFW before on FreeBSD. What happens if you divert to say natd as a test? Is this on FreeBSD 5.3 again? Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
