Re: iptables promisc mode

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Victor Julien <victor@nk.nl>
To: netfilter@lists.netfilter.org
Subject: Re: iptables promisc mode
Date: Wed, 15 Nov 2006 21:35:00 +0100	[thread overview]
Message-ID: <455B79F4.2070202@nk.nl> (raw)
In-Reply-To: <455B7844.1010506@0x63.nu>

Magnus Månsson wrote:
>
>>
>> As long as the firewall machine that runs iptables is the gateway
>> from the lan to the internet and vice versa, this is already
>> happening, iptables sees all the traffic in both directions, and can
>> act on it was well, layer 4 and above.  Nothing to add, no patch
>> required.  But, to have details in the logs of what is passing
>> requires that you build and configure your rules properly, with log
>> statements in your case being well defined and covering a number of
>> common protocol ports.  One issue you will face is that most of the
>> traffic you are trying to monitor, is not well defined nor restricted
>> to any common ports, which is whyyou have faced issues in preventing
>> the traffic and even with a layer 7 module.
>>
>> Plan on having at least one person devoted to nothing but monitoring
>> traffic and logs for sometime to get a handle on what your users are
>> abusing.
>>
>> Of course common theory is that this kind of abuse is best handled at
>> the HR level, a frewall is not the best place to hadle this kind of
>> policy issue.
>>
>> Thanks,
>>
>> Ron DuFresne
> But since my firewall are two redundant Cisco Pix 515E I dont use any
> linux machine as a gateway, that's why I have the port mirroring in
> the routing switch. And the goal is not to stop the "abusing" in the
> firewall, only to detect and log it for later investigation when we
> feel like we have the need.
>
> But thanks for the answer. .)
>
Have you looked at tcpdump or snort? It can do the same thing: monitor
and log in promiscius mode...

Regards,
Victor

next prev parent reply	other threads:[~2006-11-15 20:35 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-15 19:43 iptables promisc mode Magnus Månsson
2006-11-15 20:13 ` R. DuFresne
2006-11-15 20:27   ` Magnus Månsson
2006-11-15 20:35     ` Victor Julien [this message]
2006-11-15 20:39       ` Magnus Månsson
2006-11-17  0:32         ` Alan Ezust

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=455B79F4.2070202@nk.nl \
    --to=victor@nk.nl \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.