>>> Is there a possibility to set up a span port in m0n0 wall ?
>> No, that's the job of a switch.
> Any change to add this directly to m0n0 ?
By "that's the job of a switch", Chris meant that, literally, span
ports are part of a switch. They are a special switch port that
reflects all (requested) traffic from the other switch ports.
> I am using m0n0 on the WAN side with PPPoE,
> internal with 7 network cards, each with an own ip range
> and with an NAT-access to WAN.
> So - if I want to install an IDS I have to install 7 IDS ?
> One for each network card ? Or can I inspect the PPPoE
> packets (I believe not ?) ?
> It would be usefull to install card 8 on which the traffic is
> Would this technically be possible on the used FreeBSD system ?
As has been pointed out, the job of a firewall is to be a firewall.
Add IDS functionality and things begin to get a bit out of hand.
With m0n0wall, one of the easiest ways to allow IDS functionality is
to set up a log host and monitor the log files coming from m0n0wall.
Minimal disruption to the firewall itself and the (sometimes
difficult) task of scanning the logs and making decisions is
offloaded to another CPU. I set up a log host that also runs MRTG to
track historical traffic flows through m0n0wall.
Let's all stop and reflect for a moment on the fact that m0n0wall is
a *firewall*, not a virus scanning, spam canning, IDS running,
network monitoring, mail routing type firewall, but *just* a
firewall. One of the design goals is to make it as simple as
possible, yet as feature rich as possible, while still keeping it
*just* a firewall. One of the reasons I chose m0n0wall was this
philosophy. As soon as you start trying to add new and exciting
features that are outside the core competency, you begin to lose many
advantages--most notably footprint and ease of maintenance.