Hi!
I'm just setting up a box which should forward all packets to another host
for processing with snort. As I have some problems setting the whole thing
up I have some questions regarding the basic implementation and how to use
it.
Here is what I tried:
I modified the dup-to rule from the FAQ to match my needs.
My ruleset starts with these rules:
# default = block
block in all
block out all
# loopback
pass in quick on lo0
pass out quick on lo0
# de8 is my ethernet device for my PPPoE link
pass in quick on de8
pass out quick on de8
# duping should be done to rl0
pass in quick on rl0
pass out quick on rl0
# the dup-to rules
block in quick on tun0 dup-to rl0:10.99.99.99 from any to any
pass in quick on tun0 dup-to rl0:10.99.99.99 from any to any
(There are more rules in the ruleset, see bottom for complete set)
With this configuration I can see incoming packets on my logging box.
I compared the tcpdump output (on tun0) from my router running ipf and
the logging box.
ipf only dupes the packets to the logging box which hit the router
directly and are not forwarded by either ipnat redirects or packets
which belong to a connection which was initiated from inside the LAN
and then got into the state table due to a keep state rule.
Here is my setup:
de8 rl0 rl0
\ / \
( Internet )-----[Router]---------[logging box]
| |\ |\
| |de2 | rl1
| |_______________|
|
several other interfaces
(internal LAN)
As you can see the logging box is connected with two cables.
One (between de2 <-> rl1) is used for normal operation (dns, ssh, ...)
and the other (rl0 <-> rl0) is only used for logging. I didn't assign
ip addresses to the interfaces in first place but as I'm now using the
rl:10.99.99.99 option I assigned IPs.
My questions:
- How could I copy all packets to the rl0 interface?
- How does "dup-to rl0" work? Is it done as broadcast so my NIC on the
logging box does not filter the packets?
Thanks for your help, Hendrik
Before you have to ask for anything here is the config of the router:
[0.33] hscholz@echidna:~ > uname -a
FreeBSD echidna.raisdorf.net 4.6-STABLE FreeBSD 4.6-STABLE #0: Tue Aug 13 14:22:24
CEST 2002 [EMAIL PROTECTED]:/usr/src/sys/compile/ECHIDNA i386
# the logging box is running FreeBSD -stable built from the same source tree
[0.66] hscholz@echidna:~ > ifconfig -l;ifconfig rl0; ifconfig de8; ifconfig tun0
rl0 de0 de1 de2 de3 de4 de5 de6 de7 de8 ppp0 lo0 tun0
# left some out here
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::2e0:4cff:fe77:9187%rl0 prefixlen 64 scopeid 0x1
inet 10.99.99.98 netmask 0xffffff00 broadcast 10.99.99.255
ether 00:e0:4c:77:91:87
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
de8: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::200:c0ff:fe5e:d1dc%de8 prefixlen 64 scopeid 0xa
ether 00:00:c0:5e:d1:dc
media: Ethernet 10baseT/UTP
status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet6 fe80::2e0:4cff:fe77:9187%tun0 prefixlen 64 scopeid 0xd
inet 80.134.186.65 --> 217.5.98.62 netmask 0xff000000
Opened by PID 769
[0.56] hscholz@echidna:~ >
[0.56] hscholz@echidna:~ > netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 217.5.98.62 UGSc 5 5023933 tun0
10.10.1/24 link#2 UC 1 0 de0
10.10.1.2 00:02:b3:2e:11:00 UHLW 5 5902303 de0 970
10.12.1/24 link#4 UC 1 0 de2
10.12.1.2 00:00:e8:62:f7:d2 UHLW 0 253422 de2 317
10.13.1/24 link#5 UC 1 0 de3
10.13.1.2 00:50:04:11:90:0a UHLW 0 11907074 de3 677
10.14.1/24 link#6 UC 0 0 de4
10.15.1/24 link#7 UC 0 0 de5
10.16.1/24 link#8 UC 0 0 de6
10.99.99/24 link#1 UC 1 1 rl0
10.99.99.99 00:e0:4c:77:91:91 UHLW 0 434 rl0 238
10.100.1/24 link#3 UC 1 0 de1
10.100.1.1 00:00:d1:1d:a0:84 UHLW 0 2 lo0
127.0.0.1 127.0.0.1 UH 0 109 lo0
217.5.98.62 80.134.186.65 UH 5 0 tun0
[0.30] hscholz@echidna:~ > netstat -i | grep -e ^de8 -e ^tun -e ^rl
rl0 1500 <Link#1> 00:e0:4c:77:91:87 5 0 3492 0 0
rl0 1500 fe80:1::2e0 fe80:1::2e0:4cff: 0 - 0 - -
rl0 1500 10.99.99/24 10.99.99.98 2 - 2 - -
de8 1500 <Link#10> 00:00:c0:5e:d1:dc 5734224 0 5008025 0 62193
de8 1500 fe80:a::200 fe80:a::200:c0ff: 0 - 0 - -
tun0 1492 <Link#13> 5734207 0 5008063 0 0
tun0 1492 fe80:d::2e0 fe80:d::2e0:4cff: 0 - 0 - -
tun0 1492 80 p5086BA41.dip.t 402 - 124 - -
[0.65] root@echidna:~ > ipf -V
ipf: IP Filter: v3.4.27 (336)
Kernel: IP Filter: v3.4.27
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
[0.63] root@echidna:~ > ipfstat
IPv6 packets: in 6 out 52
input packets: blocked 5878 passed 23406188 nomatch 6 counted 0 short 0
output packets: blocked 346 passed 23453317 nomatch 52 counted 0 short 0
input packets logged: blocked 3737 passed 37
output packets logged: blocked 0 passed 792
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 20569 lost 4559
packet state(out): kept 73150 lost 1128580
ICMP replies: 0 TCP RSTs sent: 78
Invalid source(in): 0
Result cache hits(in): 1110909 (out): 723
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 3368 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
ipfstat -io (this one is build with isba so it looks somewhat ugly and doesn't have
group/head until now)
block out from any to any
pass out quick on lo0 from any to any
pass out quick on de8 from any to any
pass out quick on rl0 from any to any
pass out quick on tun0 proto tcp from any to any flags S/SA keep state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
pass out quick on de6 proto udp from any to any port = 514
block out quick on de6 from any to any
pass out quick on de0 proto tcp from any to 10.10.1.2/32 keep state
pass out quick on de0 proto udp from any to 10.10.1.2/32 keep state
pass out quick on de0 proto icmp from any to 10.10.1.2/32 keep state
pass out quick on de1 from any to any keep state
pass out quick on de2 proto tcp from any to 10.12.1.2/32 port = 25 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.2/32 port = 53 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.2/32 port = 80 flags S/SA keep
state
pass out quick on de2 proto udp from any to 10.12.1.2/32 port = 53 keep state
pass out quick on de2 proto tcp from any to 10.12.1.2/32 port = 110 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.2/32 port = 119 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.2/32 port = 22 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.3/32 port = 25 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.3/32 port = 53 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.3/32 port = 80 flags S/SA keep
state
pass out quick on de2 proto udp from any to 10.12.1.3/32 port = 53 keep state
pass out quick on de2 proto tcp from any to 10.12.1.3/32 port = 110 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.3/32 port = 119 flags S/SA keep
state
pass out quick on de2 proto tcp from any to 10.12.1.3/32 port = 22 flags S/SA keep
state
pass out quick on de2 proto tcp from any to any keep state
pass out quick on de2 proto udp from any to any keep state
pass out quick on de3 proto tcp from any to 10.13.1.2/32 keep state
pass out quick on de3 proto udp from any to 10.13.1.2/32 keep state
pass out quick on de3 proto icmp from any to 10.13.1.2/32 keep state
pass out quick on de4 from any to 10.13.1.3/32
pass out quick on de4 from any to 10.13.1.4/32
pass out quick on de4 from any to 10.14.1.2/32
pass out quick on de5 from any to 10.15.1.2/32
pass out log quick from any to any
block in from any to any
pass in quick on lo0 from any to any
pass in quick on de8 from any to any
pass in quick on rl0 from any to any
block in quick on tun0 dup-to rl0:10.99.99.99 from any to any
pass in quick on tun0 dup-to rl0:10.99.99.99 from any to any
block in log first quick on tun0 proto tcp from any to any flags FPU/FPU
block in log first quick on tun0 from any to any with ipopt
block in log first quick on tun0 from any to any with short
block in log first quick on tun0 from any to any with opt lsrr
block in log first quick on tun0 from any to any with opt ssrr
block in log first quick on tun0 from 10.0.0.0/8 to any
block in log first quick on tun0 from 127.0.0.0/8 to any
block in log first quick on tun0 from 172.16.0.0/12 to any
block in log first quick on tun0 from 192.168.0.0/16 to any
pass in quick on tun0 proto udp from any to 10.13.1.3/32 port = 5198
pass in quick on tun0 proto udp from any to 10.13.1.3/32 port = 5199
pass in log first quick on tun0 proto tcp from any to 10.12.1.2/32 port = 2401 flags
S/S keep frags
pass in log first quick on tun0 proto tcp from any to 10.12.1.2/32 port = 80 flags S/S
keep frags
pass in log first quick on tun0 proto tcp from any to 10.12.1.2/32 port = 22 flags S/S
keep frags
pass in quick on tun0 proto tcp from any to 10.13.1.2/32 port = 4662 keep state
pass in quick on tun0 proto udp from any to 10.13.1.2/32 port = 4666 keep state
block return-rst in quick on tun0 proto tcp from 129.143.67.242/32 to any port = 3128
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 129.143.67.242/32 to any port = 8080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 129.143.67.242/32 to any port = 1080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 130.133.254.2/32 to any port = 3128
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 130.133.254.2/32 to any port = 8080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 130.133.254.2/32 to any port = 1080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 131.188.3.83/32 to any port = 3128
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 131.188.3.83/32 to any port = 8080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 131.188.3.83/32 to any port = 1080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 194.64.239.50/32 to any port = 3128
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 194.64.239.50/32 to any port = 8080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 194.64.239.50/32 to any port = 1080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 194.97.2.2/32 to any port = 3128
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 194.97.2.2/32 to any port = 8080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from 194.97.2.2/32 to any port = 1080
flags S/S keep state
block return-rst in quick on tun0 proto tcp from any to any port = 113 flags S/S keep
state
pass in quick on tun0 proto icmp from any to any icmp-type echo
pass in quick on tun0 proto icmp from any to any icmp-type echorep
pass in quick on tun0 proto icmp from any to any icmp-type unreach
pass in quick on tun0 proto udp from any to any port 33434 >< 33523
block in quick on de6 from any to any
pass in quick on de0 proto tcp from 10.0.0.0/8 to any port = 22 flags S/SA keep state
keep frags
pass in quick on de1 proto tcp from 10.0.0.0/8 to any port = 22 flags S/SA keep state
keep frags
pass in quick on de2 proto tcp from 10.0.0.0/8 to any port = 22 flags S/SA keep state
keep frags
pass in quick on de3 proto tcp from 10.0.0.0/8 to any port = 22 flags S/SA keep state
keep frags
pass in quick on de4 proto tcp from 10.0.0.0/8 to any port = 22 flags S/SA keep state
keep frags
pass in quick on de5 proto tcp from 10.0.0.0/8 to any port = 22 flags S/SA keep state
keep frags
pass in quick on de0 proto icmp from 10.0.0.0/8 to any icmp-type echo keep state
pass in quick on de1 proto icmp from 10.0.0.0/8 to any icmp-type echo keep state
pass in quick on de2 proto icmp from 10.0.0.0/8 to any icmp-type echo keep state
pass in quick on de3 proto icmp from 10.0.0.0/8 to any icmp-type echo keep state
pass in quick on de4 proto icmp from 10.0.0.0/8 to any icmp-type echo keep state
pass in quick on de5 proto icmp from 10.0.0.0/8 to any icmp-type echo keep state
pass in quick on de0 proto udp from 10.0.0.0/8 to any port 33434 >< 33523 keep state
pass in quick on de1 proto udp from 10.0.0.0/8 to any port 33434 >< 33523 keep state
pass in quick on de2 proto udp from 10.0.0.0/8 to any port 33434 >< 33523 keep state
pass in quick on de3 proto udp from 10.0.0.0/8 to any port 33434 >< 33523 keep state
pass in quick on de4 proto udp from 10.0.0.0/8 to any port 33434 >< 33523 keep state
pass in quick on de5 proto udp from 10.0.0.0/8 to any port 33434 >< 33523 keep state
block in log first quick from any to 10.1.1.89/32
block in log first quick from any to 10.10.1.1/32
block in log first quick from any to 10.11.1.1/32
block in log first quick from any to 10.12.1.1/32
block in log first quick from any to 10.13.1.1/32
block in log first quick from any to 10.14.1.1/32
block in log first quick from any to 10.15.1.1/32
block in log first quick from any to 10.16.1.1/32
pass in quick on de0 proto tcp from 10.10.1.2/32 to any keep frags
pass in quick on de0 proto udp from 10.10.1.2/32 to any
pass in quick on de0 proto icmp from 10.10.1.2/32 to any
pass in quick on de1 from any to any keep state
pass in quick on de2 proto icmp from 10.12.1.2/32 to any keep state
pass in quick on de2 proto icmp from 10.12.1.3/32 to any keep state
pass in quick on de2 proto udp from 10.12.1.2/32 to any keep state
pass in quick on de2 proto udp from 10.12.1.3/32 to any keep state
pass in quick on de2 proto tcp from 10.12.1.2/32 to any keep state
pass in quick on de2 proto tcp from 10.12.1.3/32 to any keep state
pass in quick on de3 proto tcp from 10.13.1.2/32 to any keep frags
pass in quick on de3 proto udp from 10.13.1.2/32 to any
pass in quick on de3 proto icmp from 10.13.1.2/32 to any
pass in quick on de4 from 10.13.1.3/32 to any
pass in quick on de4 from 10.13.1.4/32 to any
pass in quick on de4 from 10.14.1.2/32 to any
pass in quick on de5 from 10.15.1.2/32 to any
block in log first quick from any to any
ipnat -l (no active session listing)
List of active MAP/Redirect filters:
map tun0 from 10.0.0.0/8 to any -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun0 from 10.0.0.0/8 to any -> 0.0.0.0/32
rdr tun0 from any to any port = 22 -> 10.12.1.2 port 22 tcp
rdr tun0 from any to any port = 80 -> 10.12.1.2 port 80 tcp
rdr tun0 from any to any port = 4662 -> 10.13.1.2 port 4662 tcp
rdr tun0 from any to any port = 4666 -> 10.13.1.2 port 4666 udp
--
Hendrik Scholz - <[EMAIL PROTECTED]> - http://raisdorf.net/
drag me, drop me - treat me like an object
