[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall / span port
 Date:  Wed, 17 Aug 2005 11:48:27 -0400 
On 8/17/05, Sebastian Lemke <s dot lemke at infoworxx dot de> wrote:
>
> > > Is there a possibility to set up a span port in m0n0 wall ?
> > >
> >
> > No, that's the job of a switch.
> 
> Any change to add this directly to m0n0 ?
> 
> I am using m0n0 on the WAN side with PPPoE,
> internal with 7 network cards, each with an own ip range
> and with an NAT-access to WAN.
> 
> So - if I want to install an IDS I have to install 7 IDS ?

7 sensor interfaces, not 7 IDS systems.  Or an aggregator with a
single sensor interface.  Net Optics (http://netoptics.com) has a
bunch of nice network taps and tap aggregators.


> One for each network card ? Or can I inspect the PPPoE
> packets (I believe not ?) ?
> 

Any IDS worth anything should be able to decode PPPoE. 


 
> It would be usefull to install card 8 on which the traffic is inspected.
> 
> Would this technically be possible on the used FreeBSD system ?
> 


I believe you can use pf on 6.0 to "mirror" traffic to another
interface under certain circumstances.  I wouldn't consider that
sufficient for a production environment just yet though.

-Chris