Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump on my firewall

From: Barney Wolff <barney () databus com>
Date: Sat, 27 Oct 2001 13:34:42 -0400
It seems that everybody is assuming that tcpdump turns on promiscuous
mode.  That doesn't have to be true, especially on a firewall, where
(one hopes!) all the packets actually go through the box.  The FreeBSD
flavor of tcpdump has the -p option to avoid promiscuous mode, and I'd
bet that other flavors can do the same.

That said, there have been tcpdump compromises, and it's unlikely that
there will never be another.  But that's true of absolutely anything
that runs, on the firewall or anywhere else.  The risk of an undetected
compromise via tcpdump, when an admin is actually looking at it, seems
small.  I wouldn't leave it running unattended, though.
-- 
Barney Wolff

"Nonetheless, ease and peace had left this people still curiously tough.
They were, if it came to it, difficult to daunt or to kill; and they were,
perhaps, so unwearyingly fond of good things not least because they could,
when put to it, do without them, and could survive rough handling by grief,
foe, or weather in a way that astonished those who did not know them well
and looked no further than their bellies and their well-fed faces." J.R.R.T.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: