[Snort-users] firewalling snort machine

Saad Kadhi bsdguy at ...4401...
Thu Feb 21 12:09:36 EST 2002


[PLEASE FIX YOUR MAILER TO WRAP COLUMNS PROPERLY]
[PLEASE DROP THE HTML MAIL]

On Thu, 2002-02-21 at 18:01, Basil Saragoza wrote:
> I run demarc so I would like to be able to have public ip to be able to check alerts from home using https.
> I was thinking about using ipchains on snort machine to block everything incoming besides https....
this is definitely a bad idea. I'll go sean's route. two nics. one
public with no address loaded & in promisc mode for snort. one private.
you could setup sth like a vpn/https to the private address but I won't
unless really really necessary + the private is hooked to some sort of
tightly watched dmz. imho, ipchains is really a bad firewall. look for a
stateful one (netfilter/iptables on linux or pf on openbsd or ...etc) &
allow only a limited set of addresses to access it on https. As I would
do it, I'll bind apache to the localhost port. Then I'll ssh into the
box & create a ssh tunnel from my client machine to the port apache is
listening on on the localhost of the server machine. That way, I have
everything encrypted + I don't have to fiddle w/ ssl or give ppl ways to
hack into my box thru ssl. 


>   ----- Original Message ----- 
>   From: Sean T. Ballard 
>   To: Basil Saragoza ; snort-users at lists.sourceforge.net 
>   Sent: Thursday, February 21, 2002 11:36 AM
>   Subject: RE: [Snort-users] firewalling snort machine
> 
> 
>   Here how I do it. Have 2 nics in it, one public one private. Unbind tcpip off the public interface and just have the card in promisc mode. Then on your private interface setup and IP so you can check the logs. This way no internet traffic can connect to the IDS but it still logs everything. (Make sure if your plugging the IDS into a switch that the ports are mirrored to the port the IDS's public interface is in)
>    
>   -Sean
>     -----Original Message-----
>     From: Basil Saragoza [mailto:snortlst at ...125...]
>     Sent: Thursday, February 21, 2002 10:56 AM
>     To: snort-users at lists.sourceforge.net
>     Subject: [Snort-users] firewalling snort machine
> 
> 
>     I have a snort machine exposed to the internet (connected to our internet switch, it monitors traffic coing to the firewall public nic).
>     Is it safe to install firewall on snort machine and disable ALL incoming traffic to snort machin from the internet? Will it affect snort functionality?
>     (My guess would be it won't cause snort sniffs packets fro the switch and it is not dependent on internet connectivity, but I just want to make sure that mu guess is correct)
>     thx.
-- 
/Saad --  [bsdguy at ...4401...] 
[pgp keyid: 35592A6D http://pgp.mit.edu]
# booth slave for hire





More information about the Snort-users mailing list