My goal is to run Snort 2.9.0.4 in IPS mode on a FreeBSD 8.1 bridge. I've researched this as thoroughly as I know how, and have tried whatever potential solutions I have found in this and other forums and mail list archives. But I still have no success.
I have compiled ipfw, divert and bridge into the kernel. The adapters are in promiscuous mode. Traffic flows across the bridge as long as divert is not in the picture. When I add a divert rule to ipfw, traffic is stopped. However, if I put an IP address on one of the interfaces, and connect directly to that address, traffic is diverted to Snort and then re-injected at the next ipfw rule, as evidenced by the facts that I can connect to the box via SSH, and that the Snort log is populated. (My understanding of how to do more basic testing is limited.)
It seems to me that this boils down to a couple of questions:
1) Does divert work with bridging in FreeBSD 8.1 or some earlier version? I find no definitive answer. FreeBSD documentation (which seems outdated) says no, but some forum posts indicate that it is possible, e.g., http://lists.freebsd.org/pipermail/freebsd-net/2008-March/017220.html. If it is possible, I wonder if someone would be so kind as to share in detail how it can be made to work, and in which version of FreeBSD.
2) Have I missed something in my implementation of Snort 2.9.0.4? This is probably a question for the Snort forums, but any insight shared here would be helpful. The only Snort-related information that's related directly to FreeBSD is that I compiled it from the FreeBSD ports collection with default config options.
The options that I added to my kernel are:
Although the presence or absence of the following makes no difference that's apparent to me, I added the following to /etc/sysctl.conf:
My ipfw rules script contains:
With no traffic flow tags in the divert rule, no traffic makes it across the bridge. When I add "out via bridge0", 1) traffic does make it across the bridge, but no traffic is logged by Snort, and 2) when I stop Snort, traffic continues to flow. To me, this indicates that Snort is somehow being bypassed when "out via" is in place. When I replace "out via bridge0" with "in via em0", which is the WAN-facing interface, no traffic flows across the bridge. When I remove the divert rule, traffic flows across the bridge.
Applicable rc.conf entries are:
Any help with this would be most appreciated.
I have compiled ipfw, divert and bridge into the kernel. The adapters are in promiscuous mode. Traffic flows across the bridge as long as divert is not in the picture. When I add a divert rule to ipfw, traffic is stopped. However, if I put an IP address on one of the interfaces, and connect directly to that address, traffic is diverted to Snort and then re-injected at the next ipfw rule, as evidenced by the facts that I can connect to the box via SSH, and that the Snort log is populated. (My understanding of how to do more basic testing is limited.)
It seems to me that this boils down to a couple of questions:
1) Does divert work with bridging in FreeBSD 8.1 or some earlier version? I find no definitive answer. FreeBSD documentation (which seems outdated) says no, but some forum posts indicate that it is possible, e.g., http://lists.freebsd.org/pipermail/freebsd-net/2008-March/017220.html. If it is possible, I wonder if someone would be so kind as to share in detail how it can be made to work, and in which version of FreeBSD.
2) Have I missed something in my implementation of Snort 2.9.0.4? This is probably a question for the Snort forums, but any insight shared here would be helpful. The only Snort-related information that's related directly to FreeBSD is that I compiled it from the FreeBSD ports collection with default config options.
The options that I added to my kernel are:
Code:
device if_bridge
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
Although the presence or absence of the following makes no difference that's apparent to me, I added the following to /etc/sysctl.conf:
Code:
net.link.ether.ipfw=1
net.link.bridge.ipfw=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=1
My ipfw rules script contains:
Code:
ipfw -q -f flush
ipfw -q add 00100 allow ip from any to any via lo0
ipfw -q add 00200 deny ip from any to 127.0.0.0/8
ipfw -q add 00300 deny ip from 127.0.0.0/8 to any
ipfw -q add 00400 divert 8000 ip from any to any
ipfw -q add 00500 allow ip from any to any
With no traffic flow tags in the divert rule, no traffic makes it across the bridge. When I add "out via bridge0", 1) traffic does make it across the bridge, but no traffic is logged by Snort, and 2) when I stop Snort, traffic continues to flow. To me, this indicates that Snort is somehow being bypassed when "out via" is in place. When I replace "out via bridge0" with "in via em0", which is the WAN-facing interface, no traffic flows across the bridge. When I remove the divert rule, traffic flows across the bridge.
Applicable rc.conf entries are:
Code:
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_em0="inet 10.20.70.11 netmask 255.255.255.0 promisc up"
ifconfig_em1="promisc up"
#
firewall_enable="YES"
firewall_quite="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
#
snort_enable="YES"
snort_flags="--daq ipfw --daq-mode inline --daq-var port=8000 -D"
Any help with this would be most appreciated.