On Wed, 1 Dec 2004 14:55:38 -0500, Matt Van Mater <[EMAIL PROTECTED]> wrote: > I'd like to aggregate traffic coming in on several interfaces into one > 'pool' of traffic and then send a copy of this traffic to multiple > hosts. I don't know if this is currently possible, and was wondering > if it is even remotely on the radar of the developers?
I do not believe OpenBSD can currently dup-to multiple destinations, without some nasty kludge. > I may be able to do this in an inelegant way, but I haven't tested to > see if it works, or if PF just isn't yelling at me for being dumb: > > ext_if="fxp0" # traffic feed 1 > int_if="xl0" # traffic feed 2 > ids_if="xl1" #port to feed traffic to for IDS / analysis > ids_if2="xl2" #port to feed traffic to for IDS / analysis > .. > pass in on $ext_if dup-to $ids_if > pass in on $ext_if dup-to $ids_if2 > pass in on $int_if dup-to $ids_if > pass in on $int_if dup-to $ids_if2 > > If this is a viable option, it would be nice to have the syntax be like > pass in on ($ext_if $int_if) dup-to ($ids_if $ids_if2) > But that's just a wishlist item and doesn't really matter. Technically it should be possible to extend the dup-to syntax to have multiple destinations. I'd guess this would add significant overhead. > Will this actually work as I described? pfctl takes these configs and > happily loads it, but I wonder if there is a better way to do this. I do not believe that this will work, as only the last matching rule (or first matching rule that has 'quick') is used. > I think I could combine a netoptics >spyderswitch to aggregate the feeds and then a regeneration tap to >spread it back out to multiple analysis boxes simultaneously, but that >would cost many thousands of dollars. I'd think that this could be accomplished with a single NetOptics product, but it would still cost thousands of dollars. The big advantage to using NetOptics is that the passive taps are entirely transparent to the network (no single point of failure) and add effectively no latency. Kevin
