[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall / span port
 Date:  Wed, 17 Aug 2005 11:48:27 -0400
On 8/17/05, Sebastian Lemke <s dot lemke at infoworxx dot de> wrote:
> > > Is there a possibility to set up a span port in m0n0 wall ?
> > >
> >
> > No, that's the job of a switch.
> Any change to add this directly to m0n0 ?
> I am using m0n0 on the WAN side with PPPoE,
> internal with 7 network cards, each with an own ip range
> and with an NAT-access to WAN.
> So - if I want to install an IDS I have to install 7 IDS ?

7 sensor interfaces, not 7 IDS systems.  Or an aggregator with a
single sensor interface.  Net Optics (http://netoptics.com) has a
bunch of nice network taps and tap aggregators.

> One for each network card ? Or can I inspect the PPPoE
> packets (I believe not ?) ?

Any IDS worth anything should be able to decode PPPoE. 

> It would be usefull to install card 8 on which the traffic is inspected.
> Would this technically be possible on the used FreeBSD system ?

I believe you can use pf on 6.0 to "mirror" traffic to another
interface under certain circumstances.  I wouldn't consider that
sufficient for a production environment just yet though.