Snort mailing list archives

Re: Inline IP_Forwarding and other simple questions?

From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 28 Dec 2004 17:47:46 -0600

Sounds good to me, although it sounds like an awful lot of traffic to
watch for one box.  Watch out for bus/memory/processor limitations.  I
can just see that poor 386 trying to move those packets through
ip_queue now ;-)

Regards,

Will


On Tue, 28 Dec 2004 18:40:00 -0500, Michael D. Peters
<mdpeters () lazarusalliance com> wrote:

What I have is 4 unnumbered sensor interfaces, 2 unnumbered interfaces for
the bridge, and 1 numbered interface for the management port. I have not
turned on ip_forwarding at any time.

How does this sound?

Will Metcalf writes:

It's that true? I almost can believe it. I enable ip_forwarding and then
I pass some traffic with QUEUE to snort-inline so I can take another
look at it. Am I doing it all wrong? Can you explain me why?

There is no need to enable ip_forwarding if you are in bridge mode.
The brnf code moves data across the bridge for you.  There is no need
for an ip interface or anything. If you are running ip_forwarding in
bridge mode turn it off.  If you have a third management int or an ip
assigned to the bridge interface this may lead to an insecure
configuration.

Regards,

Will
On 28 Dec 2004 23:43:19 +0100, Jose Maria Lopez <jkerouac () bgsec com> wrote:

El jue, 23 de 12 de 2004 a las 21:21, Matt Kettler escribió:

At 02:04 PM 12/23/2004, mdpeters wrote:

Do I need to enable ip_forwarding on for the transparent bridge to work?


As I understand it, you explicitly MUST NOT enable ip_forwarding, otherwise
your snort-inline is a "pass all".


It's that true? I almost can believe it. I enable ip_forwarding and then
I pass some traffic with QUEUE to snort-inline so I can take another
look at it. Am I doing it all wrong? Can you explain me why?

Thanks and Happy Christmas to everybody.

--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Inline IP_Forwarding and other simple questions?, (continued)
- - - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Inline IP_Forwarding and other simple questions? mdpeters (Dec 28)
    - Re: Inline IP_Forwarding and other simple questions? Will Metcalf (Dec 28)
    - Message not available
    - Re: Inline IP_Forwarding and other simple questions? Will Metcalf (Dec 28)
    - Re: Re: Inline IP_Forwarding and other simple questions? mdpeters (Dec 30)
    - Re: Re: Inline IP_Forwarding and other simple questions? Will Metcalf (Dec 30)
    - Re: Re: Inline IP_Forwarding and other simple questions? mdpeters (Dec 30)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Re: Inline IP_Forwarding and other simple questions? mdpeters (Dec 31)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Inline IP_Forwarding and other simple questions? mdpeters (Dec 28)
  - Re: Inline IP_Forwarding and other simple questions? Jose Maria Lopez (Dec 28)
    - Re: Inline IP_Forwarding and other simple questions? Will Metcalf (Dec 28)
    - Message not available
    - Re: Inline IP_Forwarding and other simple questions? Will Metcalf (Dec 28)