[Snort-users] Dual ethernet cards under Linux - could be of use to others

Jason Haar Jason.Haar at ...294...
Thu Nov 2 15:45:39 EST 2000


[Bit OT but I don't care ;-)]

More of a comment than anything, but I decided to put a second Ethernet card
(eth1) in my RedHat 6.2 workstation so I could monitor two segments of our
network with snort. One of the new things I wanted to try was to use
ipchains to stop anyone else being able to even see eth1. So I set ipchains
to disabled all SENT packets, but to allow incoming so snort would still see
them.

First surprise. Hosts sending out ARPs for my eth0 IP address were seeing
ARP replies from eth1 (looks like it was round-robining - some saw eth0 and
some saw eth1 MAC address)! I have IP forwarding disabled of course, but it
appears to make no difference. Looks to me that under Linux "ip forwarding"
means routing - interfaces on the same host don't count as routing...

Secondly, as these packets are ARPs, they're not IP - so ipchains didn't
stop them. Should have thought of that... (is there a way of stopping non-IP
packets?)

Thirdly, machines pinging the IP address of eth1 still worked! They'd see
eth1 as the MAC address, send the packets to that, and it would forward them
through eth0 as that was the default route for the local network! Again,
unexpected result.

So I decided to use ipchains to stop incoming packets on eth1 too. Next
strange result, snort could still see all packets on eth1! Looks like
promiscuous mode beats ipchains! This did stop anyone being able to send IP
packets to the IP address of eth1 thankfully.

All in all a pretty weird event - learnt some things I didn't expect.

So, I'll ask again. Does anyone know of a non-IP packet filter for Linux so
I can stop those ARP packets? How about a fix for eth1 merrily talking to
eth0? Is that a bug or a feature?

[I was surprised how "resilient" those packets were. They always found a way
through ;-)]

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417



More information about the Snort-users mailing list