Re: tcpdump on my firewall

[roel () SiliconDefense com]

Hello,

> ... tcpdump on our firewall ...

Unless you disable the promiscuous part of tcpdump/libpcap, the risk is rather
large, you're exposing user level apps to packets that are otherwise dropped,
before they get anywhere. Besides whenever an interface goes in promiscuous
mode the ip stack has to deal with all packets flying by (Aside from the ones
that it needs to process), this of course can have a considerable impact on
cpu load depending on the network. On top of that argument is that as soon
as you do anything with libpcap/tcpdump, that in itself will have a considerable
impact on the cpu, since it has to duplicate every packet... 

Depending on your network, your users may come after you for lousy internet
performance because the fw bogged down to a snail's pace.

If you have to put tcpdump on your firewall, make sure it doesn't run as root.
(Unless you're on linux in that case you're stuck with running it as root, for
other OS'es I can provide you with some instruction on how to run it without
root priviledges.)

Good luck.

-- 
roel
Silicon Defense: Technical Support for Snort!
http://www.SiliconDefense.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards