Snort mailing list archives
Re: firewalling snort machine
From: Saad Kadhi <bsdguy () docisland org>
Date: 21 Feb 2002 21:05:53 +0100
[PLEASE FIX YOUR MAILER TO WRAP COLUMNS PROPERLY] [PLEASE DROP THE HTML MAIL] On Thu, 2002-02-21 at 18:01, Basil Saragoza wrote:
I run demarc so I would like to be able to have public ip to be able to check alerts from home using https. I was thinking about using ipchains on snort machine to block everything incoming besides https....
this is definitely a bad idea. I'll go sean's route. two nics. one public with no address loaded & in promisc mode for snort. one private. you could setup sth like a vpn/https to the private address but I won't unless really really necessary + the private is hooked to some sort of tightly watched dmz. imho, ipchains is really a bad firewall. look for a stateful one (netfilter/iptables on linux or pf on openbsd or ...etc) & allow only a limited set of addresses to access it on https. As I would do it, I'll bind apache to the localhost port. Then I'll ssh into the box & create a ssh tunnel from my client machine to the port apache is listening on on the localhost of the server machine. That way, I have everything encrypted + I don't have to fiddle w/ ssl or give ppl ways to hack into my box thru ssl.
----- Original Message ----- From: Sean T. Ballard To: Basil Saragoza ; snort-users () lists sourceforge net Sent: Thursday, February 21, 2002 11:36 AM Subject: RE: [Snort-users] firewalling snort machine Here how I do it. Have 2 nics in it, one public one private. Unbind tcpip off the public interface and just have the card in promisc mode. Then on your private interface setup and IP so you can check the logs. This way no internet traffic can connect to the IDS but it still logs everything. (Make sure if your plugging the IDS into a switch that the ports are mirrored to the port the IDS's public interface is in) -Sean -----Original Message----- From: Basil Saragoza [mailto:snortlst () hotmail com] Sent: Thursday, February 21, 2002 10:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] firewalling snort machine I have a snort machine exposed to the internet (connected to our internet switch, it monitors traffic coing to the firewall public nic). Is it safe to install firewall on snort machine and disable ALL incoming traffic to snort machin from the internet? Will it affect snort functionality? (My guess would be it won't cause snort sniffs packets fro the switch and it is not dependent on internet connectivity, but I just want to make sure that mu guess is correct) thx.
-- /Saad -- [bsdguy () docisland org] [pgp keyid: 35592A6D http://pgp.mit.edu] # booth slave for hire _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Erek Adams (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Erek Adams (Feb 21)
- Re: firewalling snort machine dr . kaos (Feb 22)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- <Possible follow-ups>
- RE: firewalling snort machine Sean T. Ballard (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Saad Kadhi (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- RE: firewalling snort machine McCammon, Keith (Feb 21)
- RE: firewalling snort machine Semerjian, Ohanes (Feb 21)
- RE: firewalling snort machine Salisko, Rick (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- Re: firewalling snort machine Basil Saragoza (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 21)
- RE: firewalling snort machine McCammon, Keith (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Salisko, Rick (Feb 25)