I agree that if you want to monitor traffic, put a box in front of your
firewall. As a rule, I would never run anything more than a firewall on my
firewall. Just think if someone hacks your box with ethereal....they could
simply grab your cleartext passwords....not good.....
--------- Mensagem Original --------
From: Jim Gifford <jim at giffords dot net>
To: m0n0wall at lists dot m0n0 dot ch <m0n0wall at lists dot m0n0 dot ch>
Subject: Re: [m0n0wall] some problems with m0n0wall; turn ping on, realtime
Date: 16/04/04 12:56
> On Fri, Apr 16, 2004 at 01:18:02AM -0400, Stefan wrote:
> > HI:
> > So I have replaced my carefully configured Linux Router of 5+ years
> > m0n0wall, mostly just to get the traffic shaping. And that has
> > very well.
> > However, a few things I cannot figure out how to replicate on
> > that I had on Linux-NAT.
> > 1st: Ping. You cannot ping my external IP from the real world. How
> > turn this on? Other than liking to see what my ping/latency times
> > from remote hosts, I also use broadbandreports.com line-monitor
> > and it uses ping to give me results. I either need to turn it on on
> > or need to figure out how to NAT it to a internal host.
> I think adding a firewall rule to permit icmp on the WAN interface will
> accomplish this.
> > 2nd: etherreal. I loved having etherreal to watch traffic on my
> > Espically now, I need to figure out what IP and ports my VoIP box is
> > using, to try to setup up high-priority queueing for those IP-ports.
> > can I watch the traffic flowing across my router in realtime? ( I
> > think SNMP will work for this.. )
> By using something like this:
> http://www.snort.org/docs/tap/ you can monitor traffic on any link in
> both directions (it sits between two devices so you can monitor all the
> traffic between those 2 devices without anything seeing the monitoring
> host). You could then use ethereal on a box inside your network to look
> at that traffic.
> > Also, any plans in the works to make the read-write aspect of
> > write to something a bit faster and less shaky than a 1.44 fdd? I
> > love to see the addition of a USB flash-thumb drive as a read/write
> > device.
> Sounds like you should consider switching to the generic-pc version
> running from IDE disk or compact flash card via IDE-CF interface.
> > I think the short answer here might be just to setup a full-on Open
> > box. I am definitely pushing the boundries of what the designer had
> > mind for a simple SOHO-router replacement.
> That is certainly an option. I'm the last person to discourage someone
> from manually building their own firewall exactly as they want it.
> However, if you do indeed like m0n0wall and prefer to use it, then there
> are workarounds for the things you've mentioned that aren't that painful
> to create. Certainly *I* would keep using m0n0wall rather than risk
> overlooking something in a roll-my-own environment. Also, I've rolled
> my own firewall too many times in the past to really want to do it again.
> > Thanks,
> > -- ChEx in Boston
> Hope this helps,
> jim gifford
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch