toggling promiscuous mode logging on NICs
This is a patch allowing to control kernel logging of promiscuous mode changes on network interfaces through sysctl (enabled by default) : kern.log_promisc=1 I dont know if this mib should be placed somewhere else, nor if the feature itself could interest anyone... Patch attached anyway. -- Julien Benoist --- /usr/src.old/sys/net/if.c Sun Apr 28 07:40:25 2002 +++ /usr/src/sys/net/if.c Thu Aug 29 03:52:06 2002 -80,6 +80,10 static void if_slowtimo __P((void *)); static void link_rtrequest __P((int, struct rtentry *, struct rt_addrinfo *)); static int if_rtdel __P((struct radix_node *, void *)); +static int log_promisc = 1; + +SYSCTL_INT(_kern, OID_AUTO, log_promisc, CTLFLAG_RW, + log_promisc, 0 , toggle promiscuity mode); SYSINIT(interfaces, SI_SUB_PROTO_IF, SI_ORDER_FIRST, ifinit, NULL) -1245,14 +1249,18 if (ifp-if_pcount++ != 0) return (0); ifp-if_flags |= IFF_PROMISC; - log(LOG_INFO, %s%d: promiscuous mode enabled\n, - ifp-if_name, ifp-if_unit); + if (log_promisc==1) { + log(LOG_INFO, %s%d: promiscuous mode enabled\n, + ifp-if_name, ifp-if_unit); + } } else { if (--ifp-if_pcount 0) return (0); ifp-if_flags = ~IFF_PROMISC; - log(LOG_INFO, %s%d: promiscuous mode disabled\n, - ifp-if_name, ifp-if_unit); + if (log_promisc==1) { + log(LOG_INFO, %s%d: promiscuous mode disabled\n, + ifp-if_name, ifp-if_unit); + } } ifr.ifr_flags = ifp-if_flags; error = (*ifp-if_ioctl)(ifp, SIOCSIFFLAGS, (caddr_t)ifr);
Re: toggling promiscuous mode logging on NICs
Julien Benoist wrote: This is a patch allowing to control kernel logging of promiscuous mode changes on network interfaces through sysctl (enabled by default) : kern.log_promisc=1 I dont know if this mib should be placed somewhere else, nor if the feature itself could interest anyone... Patch attached anyway. In a general sense, it's probably abut time to add a class parameter or two (one a bitmap, the other a bitmap within that bitmap) to all of the kernel display data. That would let you block all messages of a class, without the need to introduce per-printf sysctl's. This sort of goes with PHK's idea that the console code needs a rethink. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: Promiscuous mode
On Thu, Sep 07, 2000 at 12:33:20AM +0300, petro wrote: rl0: promiscuous mode enabled rl0: promiscuous mode disabled What does it mean and how I can set this This means the interface rl0 now listens to all traffic on the wire. Happens for example when you run dhcpd W/ -- Wilko Bulte [EMAIL PROTECTED] Arnhem, the Netherlands To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Promiscuous mode
rl0: promiscuous mode enabled rl0: promiscuous mode disabled What does it mean and how I can set this Thank you very much. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: Promiscuous mode
It means something set your Ethernet interface "rl0" to promiscuous mode, which allows it to receive all Ethernet frames on the wire it's attached to instead of just its own. Common applications that do this are tcpdump, trafshow and ntop. If you've used one of these they will by default try and analyze -all- traffic they can get hold of, instead of just that destined for one of your machines. It is logged because it is a potential security issue. If you have not used any tools like the above, you could have a password sniffer or something like that installed without your knowledge. Jason Young Access US(tm) Chief Network Engineer -Original Message- From: petro [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 06, 2000 4:33 PM To: [EMAIL PROTECTED] Subject: Promiscuous mode rl0: promiscuous mode enabled rl0: promiscuous mode disabled What does it mean and how I can set this Thank you very much. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: BPF and Promiscuous Mode
On Mon, 3 Jul 2000, Nick Rogness wrote: On Mon, 3 Jul 2000, Dan Nelson wrote: In the last episode (Jul 03), Nick Evans said: How do I set an interface in promiscous mode permanently? In Linux it's simply ifconfig interface PROMISC. Is there something similar in BSD? Is it somekind of sysctl command? Stupid Man's Answer: I would just run on bootup: /usr/sbin/tcpdump /dev/null Probaby not the answer you are looking for, but maybe it will help. You'll notice a lot of DNS traffic from your machine if you do this. Include -n at least! -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287163 Fax +44 (0)117 9287112 RFC822 [EMAIL PROTECTED] Bolstered by my success with vi, I proceeded to learn C with 'learn c'. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: BPF and Promiscuous Mode
Title: RE: BPF and Promiscuous Mode Here is how to bridge different interfaces together selectively: Controlling bridging Bridging is almost exclusively controlled by sysctl variables. net.link.ether.bridge_cfg: ed2:1,rl0:1, set of interfaces for which bridging is enabled, and cluster they belong to. net.link.ether.bridge: 0 enable bridging. net.link.ether.bridge_ipfw: 0 enable ipfw for bridging. Thanks to Luigi Rizzo for that information extracted from his site at: http://www.iet.unipi.it/~luigi/ip_dummynet/ This net.link.enther.bridge_cfg is not in the man page and I have read nothing about it anywhere else, is there some resource that has every sysctl variable listed with it's purpose? thx nick -Original Message- From: Nick Evans Sent: Tuesday, July 04, 2000 12:18 AM To: 'Dan Nelson' Cc: '[EMAIL PROTECTED]' Subject: RE: BPF and Promiscuous Mode Exactly, I just tried it and it didn't work :(. Yes you are right on, NFR is a sniffer/ids, but it is based on the OpenBSD kernel and therefore does not support multiple processors. I just tried bridging and it does in fact bridge all interfaces together, but it still does not appear to be mirroring all traffic from one interface to another. Apparently there are issues with IPFilter and FreeBSD... I am going to try OpenBSD and IPFilter tonight. The IPFilter people know that bridging works on OpenBSD, and you can bridge specific interfaces. -Original Message- From: Dan Nelson [mailto:[EMAIL PROTECTED]] Sent: Monday, July 03, 2000 10:34 PM To: Nick Evans Subject: Re: BPF and Promiscuous Mode Is there any reason you're not CC'ing the list? I added it back on my first reply on the assumption you simply forgot, but this email is missing it too. It's good to have exchanges like these in the mailing-list archives, so help other people that might have the same question later. In the last episode (Jul 03), Nick Evans said: actually it's like this router --- switch | | - mirrored port freebsdbox | | vlan'd switch | | | | | | nfr nfr nfr the nfr boxes do not have ip's so i just need the traffic duplicated (so routing is out of the question), but i wanted to use ipfilter to, get this, filter the traffic so not all the ida's see all the traffic. the simply cannot handle 600Mbits each... my plan is to put a gig interface, or two, into the BSD box and several dualport server adaptors and then segment that traffic down. bridging might work, but i do not know how to bind certain interfaces together in FreeBSD, OpenBSD, yes, but not Free... Aahh. An nfr is a sniffer. I assumed that you were load-balancing web servers or something, which was confising me a bit since you don't want to use mirroring for this. For your purposes, mirroring is perfect. I think enabling bridging, and then using ipfilter or ipfw to only allow (say) 1/3 of the Net addresses to each server (assuming you have 3 nfr's), would do what you want. I wonder if NFR will take advantage of multiple CPUs in a single box. That way you don't have to worry about any of this. In the last episode (Jul 03), Nick Evans said: actually a better question would have been, do you know if you can bridge multiple interfaces to one other interface lik 4 100mbit nics to one gigabit nic? I assume so. The bridge manpage mentions the inability to selectively bridge certain interfaces, so the default must be to bridge all ethernet interfaces. You can probably add some filtering rules to make sure you don't re-transmit packets out of your gigabit NICs. -- Dan Nelson [EMAIL PROTECTED]
BPF and Promiscuous Mode
Title: BPF and Promiscuous Mode How do I set an interface in promiscous mode permanently? In Linux it's simply ifconfig interface PROMISC. Is there something similar in BSD? Is it somekind of sysctl command? thx. -- nick.evans network.engineering NextVenue, Inc. phone: (212) 909.2988 pager: (888) 642.5541
Re: BPF and Promiscuous Mode
In the last episode (Jul 03), Nick Evans said: How do I set an interface in promiscous mode permanently? In Linux it's simply ifconfig interface PROMISC. Is there something similar in BSD? Is it somekind of sysctl command? The only code that fiddles with the promisc bit is bridging and bpf, so the only way to do it now is to start up packet filtering. Why do you need to turn it on? -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: BPF and Promiscuous Mode
In the last episode (Jul 03), Nick Evans said: I'm trying to use IPFilter's copying functions to make a load balancer, I have traffic being mirrored from a router to one interface on the BSD box, and for some reason the only time netstat reports any traffic on that interface is when tcpdump or some other program that utilizes BPF is running. I have a feeling that this is why I cannot get the packet copying functionality of IPFilter to work. I guess there is no similar way as in Linux (ifconfig int PROMISC) to turn BPF on permanently? So you have: [ router ] | | [ BSD box ] | | | | [ web ] [ web ] [server] [server] ? You'll probably want either routing or bridging enabled on the BSD box, to handle any DNS lookups or other activity the web servers will be doing, and with either of those enabled, ipfilter should be able to process the packets. I've never used ipfilter myself, though, so I can't say whether this will definitely work or not. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: BPF and Promiscuous Mode
On Mon, 3 Jul 2000, Dan Nelson wrote: In the last episode (Jul 03), Nick Evans said: How do I set an interface in promiscous mode permanently? In Linux it's simply ifconfig interface PROMISC. Is there something similar in BSD? Is it somekind of sysctl command? Stupid Man's Answer: I would just run on bootup: /usr/sbin/tcpdump /dev/null Probaby not the answer you are looking for, but maybe it will help. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: BPF and Promiscuous Mode
Title: RE: BPF and Promiscuous Mode Exactly, I just tried it and it didn't work :(. Yes you are right on, NFR is a sniffer/ids, but it is based on the OpenBSD kernel and therefore does not support multiple processors. I just tried bridging and it does in fact bridge all interfaces together, but it still does not appear to be mirroring all traffic from one interface to another. Apparently there are issues with IPFilter and FreeBSD... I am going to try OpenBSD and IPFilter tonight. The IPFilter people know that bridging works on OpenBSD, and you can bridge specific interfaces. -Original Message- From: Dan Nelson [mailto:[EMAIL PROTECTED]] Sent: Monday, July 03, 2000 10:34 PM To: Nick Evans Subject: Re: BPF and Promiscuous Mode Is there any reason you're not CC'ing the list? I added it back on my first reply on the assumption you simply forgot, but this email is missing it too. It's good to have exchanges like these in the mailing-list archives, so help other people that might have the same question later. In the last episode (Jul 03), Nick Evans said: actually it's like this router --- switch | | - mirrored port freebsdbox | | vlan'd switch | | | | | | nfr nfr nfr the nfr boxes do not have ip's so i just need the traffic duplicated (so routing is out of the question), but i wanted to use ipfilter to, get this, filter the traffic so not all the ida's see all the traffic. the simply cannot handle 600Mbits each... my plan is to put a gig interface, or two, into the BSD box and several dualport server adaptors and then segment that traffic down. bridging might work, but i do not know how to bind certain interfaces together in FreeBSD, OpenBSD, yes, but not Free... Aahh. An nfr is a sniffer. I assumed that you were load-balancing web servers or something, which was confising me a bit since you don't want to use mirroring for this. For your purposes, mirroring is perfect. I think enabling bridging, and then using ipfilter or ipfw to only allow (say) 1/3 of the Net addresses to each server (assuming you have 3 nfr's), would do what you want. I wonder if NFR will take advantage of multiple CPUs in a single box. That way you don't have to worry about any of this. In the last episode (Jul 03), Nick Evans said: actually a better question would have been, do you know if you can bridge multiple interfaces to one other interface lik 4 100mbit nics to one gigabit nic? I assume so. The bridge manpage mentions the inability to selectively bridge certain interfaces, so the default must be to bridge all ethernet interfaces. You can probably add some filtering rules to make sure you don't re-transmit packets out of your gigabit NICs. -- Dan Nelson [EMAIL PROTECTED]
Re: Logging promiscuous mode disabled
On Sat, 22 May 1999 17:24:32 +0200, Jeroen Ruigrok/Asmodai wrote: Would make intrusion detection easier, etc etc =) Hi Jeroen, I don't know about that. I'd hate for anyone to think that this improves security. I see it as a convenience option, and wanted feedback on any negative side-effects that folks more familiar with the code might spot. Ciao, Sheldon. To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Logging promiscuous mode disabled
Hi folks, Are there issues that make the following apparently innocuous change to the handling of turning off promiscuous mode a bad idea? It doesn't seem to me like it'd break anything, and I'd like to know for sure when it's turned off -- it'd mean I don't have to count up the number of promiscous mode enabled messages and make sure that that number matches the number of applications I've run and subsequently terminated. Thanks, Sheldon. Index: if.c === RCS file: /home/ncvs/src/sys/net/if.c,v retrieving revision 1.70 diff -u -d -r1.70 if.c --- if.c1999/04/28 11:37:32 1.70 +++ if.c1999/05/22 14:18:45 @@ -828,6 +828,8 @@ if (--ifp-if_pcount 0) return (0); ifp-if_flags = ~IFF_PROMISC; + log(LOG_INFO, %s%d: promiscuous mode disabled\n, + ifp-if_name, ifp-if_unit); } ifr.ifr_flags = ifp-if_flags; error = (*ifp-if_ioctl)(ifp, SIOCSIFFLAGS, (caddr_t)ifr); To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: Logging promiscuous mode disabled
On 22-May-99 Sheldon Hearn wrote: It doesn't seem to me like it'd break anything, and I'd like to know for sure when it's turned off -- it'd mean I don't have to count up the number of promiscous mode enabled messages and make sure that that number matches the number of applications I've run and subsequently terminated. Sounds like a good idea to me Sheldon... Would make intrusion detection easier, etc etc =) --- Jeroen Ruigrok van der Wervenasmodai(at)wxs.nl The FreeBSD Programmer's Documentation Project Network/Security Specialist http://home.wxs.nl/~asmodai *BSD: Accept no limitations... To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message