Re: firewalling snort machine

[Saad Kadhi <bsdguy () docisland org>]

[PLEASE FIX YOUR MAILER TO WRAP COLUMNS PROPERLY]
[PLEASE DROP THE HTML MAIL]

On Thu, 2002-02-21 at 18:01, Basil Saragoza wrote:
> I run demarc so I would like to be able to have public ip to be able to check alerts from home using https.
> I was thinking about using ipchains on snort machine to block everything incoming besides https....
this is definitely a bad idea. I'll go sean's route. two nics. one
public with no address loaded & in promisc mode for snort. one private.
you could setup sth like a vpn/https to the private address but I won't
unless really really necessary + the private is hooked to some sort of
tightly watched dmz. imho, ipchains is really a bad firewall. look for a
stateful one (netfilter/iptables on linux or pf on openbsd or ...etc) &
allow only a limited set of addresses to access it on https. As I would
do it, I'll bind apache to the localhost port. Then I'll ssh into the
box & create a ssh tunnel from my client machine to the port apache is
listening on on the localhost of the server machine. That way, I have
everything encrypted + I don't have to fiddle w/ ssl or give ppl ways to
hack into my box thru ssl. 


>   ----- Original Message ----- 
>   From: Sean T. Ballard 
>   To: Basil Saragoza ; snort-users () lists sourceforge net 
>   Sent: Thursday, February 21, 2002 11:36 AM
>   Subject: RE: [Snort-users] firewalling snort machine
>
>
>   Here how I do it. Have 2 nics in it, one public one private. Unbind tcpip off the public interface and just have 
> the card in promisc mode. Then on your private interface setup and IP so you can check the logs. This way no internet 
> traffic can connect to the IDS but it still logs everything. (Make sure if your plugging the IDS into a switch that 
> the ports are mirrored to the port the IDS's public interface is in)
>    
>   -Sean
>     -----Original Message-----
>     From: Basil Saragoza [mailto:snortlst () hotmail com]
>     Sent: Thursday, February 21, 2002 10:56 AM
>     To: snort-users () lists sourceforge net
>     Subject: [Snort-users] firewalling snort machine
>
>
>     I have a snort machine exposed to the internet (connected to our internet switch, it monitors traffic coing to 
> the firewall public nic).
>     Is it safe to install firewall on snort machine and disable ALL incoming traffic to snort machin from the 
> internet? Will it affect snort functionality?
>     (My guess would be it won't cause snort sniffs packets fro the switch and it is not dependent on internet 
> connectivity, but I just want to make sure that mu guess is correct)
>     thx.
-- 
/Saad --  [bsdguy () docisland org] 
[pgp keyid: 35592A6D http://pgp.mit.edu]
# booth slave for hire


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users