From: "Tyler J. Wagner" <tyler@tolaris.com>
To: Jonathan Tripathy <jonnyt@abpni.co.uk>
Cc: netfilter@vger.kernel.org
Subject: Re: Promiscuous mode and xtables
Date: Thu, 04 Aug 2011 23:03:55 +0100 [thread overview]
Message-ID: <4E3B174B.9040407@tolaris.com> (raw)
In-Reply-To: <4E3B15B9.1090803@abpni.co.uk>
Actually, yes. I had assumed you'd need INPUT to be ACCEPT to monitor,
but of course you won't. For two reasons:
1. You're (presumably) not interested in monitoring traffic intended for
the server itself.
2. Your monitoring software sniffs the traffic using libpcap, which gets
its data before netfilter is applied.
That being the case, set all chains to DROP, and just sniff. But again,
make sure the application doing the sniffing is secure, and preferably
drops privileges as soon as the socket is open.
Regards,
Tyler
On 2011-08-04 22:57, Jonathan Tripathy wrote:
> Shouldn't I also set the input chain to DROP as well?
>
> Thanks
>
> On 04/08/2011 09:37, Tyler J. Wagner wrote:
>> If you intend to monitor only, set OUTPUT and FORWARD chains to DROP.
>> Otherwise you can't firewall. Make sure your monitoring software is up
>> to date, as vulnerabilities on it will be the biggest issue.
>>
>> Regards,
>> Tyler
>>
>> Jonathan Tripathy<jonnyt@abpni.co.uk> wrote:
>>
>> Hi Everyone,
>>
>> Currently, I use ebtables and iptables to secure my servers. It
>> would be
>> appreciated if someone could please give me some advice on what
>> the best
>> settings are for using a network port in promiscuous mode for
>> network
>> monitoring *only*. I.e. I do not want any of this traffic to be
>> able to
>> access anything on my server.
>>
>> Thanks
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
--
A bad analogy is like a leaky screwdriver.
prev parent reply other threads:[~2011-08-04 22:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-04 4:19 Promiscuous mode and xtables Jonathan Tripathy
2011-08-04 8:37 ` Tyler J. Wagner
2011-08-04 21:57 ` Jonathan Tripathy
2011-08-04 22:03 ` Tyler J. Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E3B174B.9040407@tolaris.com \
--to=tyler@tolaris.com \
--cc=jonnyt@abpni.co.uk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox