> > Use the -x switch for LaBrea to disable IP address capturing
>
> I have looked into this switch, and studied what Simon suggested and
> believe
> I would go with this
>
> OPTIONS="-i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf"
>
> -i make LaBrea tie itself to eth0 (just in case it thinks eth1 is default)
> -l logs to syslog
> -v Verbosely log activity to syslog
> (what's the difference to the previous two? I would think logging
> Verbosely would log everything including what the -l flag would log)
> -p limit bytes per second to 80000
> -z USEZFLAG defined (the default) (took me a bit to find this one)
> -x does not capture IP address - this is good!
> -F specify BPF file to read from
>
> So as I understand this, starting LaBrea from the terminal I would type
>
> LaBrea -i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf
Looks about right to me...
NOTE: With the -x switch, LaBrea should "play nice" with your network, and
if you mis-configure it, you'll likely only mess up your own network
connectivity. The extensive warning/disclaimer on my previous post is
mainly intended to prevent folks who don't understand what's going on with
LaBrea from trying to play with it. Like nmap, circular saws, and hydraulic
punch-presses, LaBrea falls into the catagory of tools you must use
responsibly...
> Seems to me there is another way of starting this or another package
> from a init script or something (going by the line above which reads
> OPTIONS="-i .... that looks like in comes out of a conf file)
> but I have not figured that much out yet with Linux! Maybe by editing
> etc/init.d/LaBrea ??
I have an init script in my LaBrea.lrp package...
> From what I can tell, (using Charles example) my /etc/LaBrea.bpf would
read
>
> dst host 24.118.176.41
> and tcp[2:2] & 0xfc00 == 0
> and not dst port (22)
>
> I only use ssh (internally, not from outside the house so do I still need
to
> specify line three here?) and no other forwarding services, unless
weblet.lrp
> would be considered a service, again I only use weblet internally. I do
not
> access weblet or ssh from "outside" my home network.
Since you do *not* run any services on your external interface, you do not
need the destination port line. LaBrea will not see traffic on any
interface other than the one you tell it to listen to.
> >1. Write the first portion of your filter (up to the IP address) into a
> >file (i.e. /etc/LaBrea.tmp) - contents for mine would be:
> >
> >tcp dst port 80 or 21 and dst host
>
> Let me state what I see the differences are between Charles and Simons
ideas
> here, both agree on what the dst host should be which is the IP of eth0.
> Charles is including tcp ports <1024 which means he is including line 3
> in his example.
> Simon only wants to check ports 80 and 21, thus he would not need line 3
of
> Charles example.
> Am I right or am I missing something here?
You are correct.
> >2. Create a script (i.e. /etc/ipupdate) that writes the filter and
checks
> >the IP of the external interface (eth0 on my box, change if needed). The
> >script's contents should look like this:
> >
> >#Creates /etc/LaBrea.bpf
> >#!/bin/sh
> >cat /etc/LaBrea.tmp > /etc/LaBrea.bpf
> >ip addr show eth0 | grep "inet " | sed s/" "// | cut -d' ' -f 2 | cut
> >-d'/' -f1 >> /etc/LaBrea.bpf
> >#Done
> >
> >(that should only be 2 lines - not 3 - the second line wrapped)
I'd probably do something like the following, but it looks like you've got
the right idea...
#!/bin/sh
IPADDR=`ip addr list label eth0 | grep inet | \
sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'`
sed "s/<IPADDR>/$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf
Where /etc/LaBrea.in contained:
dst host <IPADDR>
and tcp[2:2] & 0xfc00 == 0
and not dst port (ssh or ftp or www)
Of course, it'd be nice to automatically pull in the ports to leave open
from network.conf as well...this obvious extension is left for the reader :)
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
