From: Hugh Crissman <hcrissman@secure-mind.net>
To: Ryan McConigley <ryan@csse.uwa.edu.au>
Cc: bridge@lists.osdl.org
Subject: Re: [Bridge] bridge firewall
Date: Fri, 1 Jul 2005 11:36:23 -0400 [thread overview]
Message-ID: <20050701153623.GA7841@secure-mind.net> (raw)
In-Reply-To: <5.2.0.9.1.20050701083251.02ea5438@mailhost.csse.uwa.edu.au>
Thanks Ryan,
That answers one of my major questions. I was not sure if I should have snort sniff on /dev/eth1 (a nic that is part of my bridge) or /dev/br0
(the bridge interface I created). I would assume that snort capture is very similar to tcpdump and sniffing on /dev/br0 would work fine. I will
give that a shot. Now I wonder if iptables can block traffic on the bridge? If so, would the recipes call the bridge interface or one of the
specific interfaces that are active in the bridge ie. /dev/br0 or /dev/eth1?
Thanks,
Hugh
* Ryan McConigley <ryan@csse.uwa.edu.au> [2005-07-01 08:35:21]:
> At 08:15 AM 30/06/2005 -0400, you wrote:
> >I am in the process of building a bridge firewall to place as the gateway
> >to my network. I have a couple
> >questions that I can't seem to find clear answers to. Can snort sniff on a
> >bridged interface? Second, can
> >ebtables block by IP? I know IP is layer 3 and a Bridge is Layer 2 but
> >some of the recipes I have seen for
> >ebtables have ips in them.
>
> I assume it can. Just tell snort to use the bridge interface as
> opposed to the actually enternet cards. Thats how I do packet capture on
> our bridge using tcpdump. You'll probably get a better answer from the
> list though.
>
> And I thought that ebtables was only layer2, but I know with
> iptables you can specify mac addresses, so I wouldn't be surprised if
> ebtables has the same style of functionality or plugins.
>
> Just my $0.02 worth.
>
> Cheers,
> Ryan.
>
> --
> Ryan McConigley - Systems Administrator _.-,
> Computer Science University of Western Australia .--' '-._
> Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 _/`- _ '.
> Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan '----'._`.----. \
> `
> \;
> "You're just jealous because the voices are talking to me"
> ;_\
>
>
>
next prev parent reply other threads:[~2005-07-01 15:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-30 12:15 [Bridge] bridge firewall Hugh Crissman
[not found] ` <5.2.0.9.1.20050701083251.02ea5438@mailhost.csse.uwa.edu.au>
2005-07-01 15:36 ` Hugh Crissman [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-03-04 11:07 [Bridge] Bridge firewall Rajaraman S
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050701153623.GA7841@secure-mind.net \
--to=hcrissman@secure-mind.net \
--cc=bridge@lists.osdl.org \
--cc=ryan@csse.uwa.edu.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.