Hey Steve, all your questions or comments are preceded by [sj], mine are not...
[sj] Seems to me there is another way of starting this or another packagefrom a init script or something (going by the line above which reads OPTIONS="-i .... that looks like in comes out of a conf file)but I have not figured that much out yet with Linux! Maybe by editing etc/init.d/LaBrea ?? Thats correct - my OPTIONS="..." line is directly pulled from /etc/init.d/LaBrea. [sj]Question about this Charles, on your web site you give instructions on how tokeeping it running in promiscuous mode. But here you state to stop it from running in promiscuous mode. [sj]What does running in promiscuous mode mean? Running in promiscuous mode means that the NIC listens for packets destined to any MAC address. I have not disabled this, but I don't think that it matters with the -x switch (as it's only listening to its own IP, and is only grabbing packets destined for the external interface's MAC/IP). Of course I could be wrong. [sj] dst host 24.118.176.41 [sj] and tcp[2:2] & 0xfc00 == 0 [sj] and not dst port (22) [sj] I only use ssh (internally, not from outside the house so do I still need to specify line three here?) and no other forwarding services, unless weblet.lrp would be considered a service, again I only use weblet internally. I do not access weblet or ssh from "outside" my home network. Nope you don't need the third line. [sj] Let me state what I see the differences are between Charles and Simons ideas here, both agree on what the dst host should be which is the IP of eth0. Charles is including tcp ports <1024 which means he is including line 3in his example. Simon only wants to check ports 80 and 21, thus he would not need line 3 of Charles example. Am I right or am I missing something here? No you aren't - while I'm not exactly sure what the 2nd line does in Charles' example (like I said not exactly much of a scripter), it does look like its blocking way more ports than mine. I just choose 80 and 21 as example ports (I'm blocking a few more choice ones, like common NetBus targets, etc). [sj] Simon, if I were to create /etc/LaBrea.bpf using Charles example of three lines instead of what you appear to be using as one line, would your script work? That is by first creating /etc/LaBrea.tmp which would read [sj] dst host [sj] and tcp[2:2] & 0xfc00 == 0 [sj] and not dst port (22) [sj]The reason I ask this is because when writing Lisp code, if the code needs to read from or write to an another file, I know you have to specify in the code which line of text/code you want to work with. No as long as the code being called in the script is the same you should be fine, you're just going to have to change the order of Charles' filter to: tcp[2:2] & 0xfc00 == 0 and not dst port (22) and dst host You'll need to do that because the IP has to go after the "and dst host " and my script just appends it to the end of the file. What the code is doing is catting the temp file to a filter, then grepping your ip and adding it to the end of the filter. If you want to be sure, you could always place the "and dst host " on its own line in the temp file - then it upon generation of the filter you'd have "and dst host xxx.xxx.xxx.xxx" as a line all to itself. Either way, ensure you have a space after the word host! (thats important) [sj] My question about this Simon, is when dhclient-exit-hooks runs and comes up to svi LaBrea start, it seems that the options are not included and LaBrea will run without any options, specifically the -x option at a bare minimum is needed. Maybe this has something to do about my question above concerning how to start LaBrea from a init script. You're right it does have to do with the init script. svi Labrea start will call LaBrea with the options entered into the script in init.d. This makes starting daemon's and processes much easier (who's gonna remember all the switches after a year of uptime??) [sj] One last concern I am thinking about, is that maybe I should contact my ISP and let them know that I am considering to use LaBrea. Is this a good or bad idea? I wouldn't do it. As long as your ISP is allowing you a constant connection, you _should_ be able to do whatever you want with it - as long as it doesn't negatively affect other users, which LaBrea won't. I have LaBrea log to a text file on another server, and generate a web page with stats on where packets are coming from and what port they are going to etc. , you're not eating up a tonne of bandwidth if you have broadband, and if enough people were running LaBrea it would actually end up being in an ISP's best interest to have it's users running it, as it will eventually make scanning too time consuming to be feasable. Simon _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
