Menu
▾
▴
Re: [Snort-inline-users] IPFW FreeBSD 4.10 invisible bridge
|
From: Christopher B. <bla...@um...> - 2005-01-04 12:35:08
|
On Mon, 2005-01-03 at 19:44, Nick Rogness wrote: > On Mon, 3 Jan 2005, Christopher Black wrote: >=20 > > On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: > >> On Mon, 3 Jan 2005, Christopher Black wrote: > >> > >>> List, > >>> > >>> I'm running freebsd 4.10 on a system configured with no IPs, briding > >>> between two interfaces. The network works fine if diverting is > >>> disabled, but when packets are diverted to snort_inline, snort never > >>> appears to recieve them. Has anyone seen this before? > >> > >> What is the output of: > >> > >> root# sysctl net.link.ether.bridge.ipfw > >> > >> > >> Nick Rogness <ni...@ro...> > >> - > >> How many people here have telekenetic powers? Raise my hand. > >> -Emo Philips > > > > bash-2.05b# sysctl -a | grep net.link.ether.bridge > > net.link.ether.bridge_cfg: sis0,sis1 > > net.link.ether.bridge: 1 > > net.link.ether.bridge_ipfw: 1 > > ... > > > > The bridging part itself is working fine, until I divert the packets to= =20 > > snort. The one command 'ipfw add divert 6666 all from any to any' (666= 6=20 > > being the port I put snort on) causes a complete loss of throughput.=20 > > Snort is never receiving them as debug statements in the main loop of=20 > > inline.c report. Is there a special bridging (as opposed to inline)=20 > > mode to enable? >=20 > No, snort_inline is unaware of anything in the lower layers, e.g. > bridging vs routing. The divert socket is just a socket, not much > different than a standard TCP socket. >=20 > I've never done briding+IPFW before on FreeBSD. What happens if > you divert to say natd as a test? Is this on FreeBSD 5.3 again? >=20 > Nick Rogness <ni...@ro...> > - > How many people here have telekenetic powers? Raise my hand. > -Emo Philips This was on FreeBSD 4.10. Since I'm under a fairly tight deadline, I had to revert to just doing NAT on that box. I will try this out later though. Is there a special way to create a divert socket from a userland application to just test to see what's hitting the socket? --=20 Christopher Black <bla...@um...> |
