Copy selected packets (eg via ipfw rule) to another host

[rowan194]

I want to copy selected packets (such as DNS lookups) to another host, which will log them.

ipfw has the 'fwd <host>' (forward to new host) and 'tee <port>' (send a copy to local divert port) directives. Does there exist something that combines both, ie continue processing the packet locally but also forward a copy to another host? Like tee <host>

Essentially, I want to be able to do a remote tcpdump.

Thanks for any ideas.

 

[VladiBG]

I would attach ngfw (ironport / fortigate) in transparent mode between the router and the access switch or use SPAN or TAP on the managed switch to mirror the traffic instead of forward it on the router or forward all DNS queries to internal DNS where i can do the logging and deny DNS over TLS/HTTPS (853).
Anyway ipfw(8) have selective mirroring option via ngtee that you can look up in the manual.

squid+e2Guardian is another good alternative.

 

[rowan194]

Thanks for the reply. This is for a small setup so I'm really looking for a FreeBSD solution.

I completely missed the ngtee option, although I know nothing of netgraph. I am guessing that a relatively simple divert(4) application to insert the packet copy with a new next-hop address could also work, but again I don't have sufficient knowledge to implement that.

I think it should be possible to use "accept ... log" ipfw rules which will copy packets to ipfw0, but that is a local interface. Don't know if something weird like this would work (I haven't bothered to check exact syntax):

ipfw add x accept log ip from any to any in via not ipfw0
ipfw add x fwd x.x.x.x ip from any to any in via ipfw0

...but this means I cannot use 'log' for anything else (which I already do)

Thinking a little differently, is there a way for FreeBSD to mirror packets at a lower layer? The router running FreeBSD has 6 individual ethernet ports.