On Saturday 15 December 2007, [EMAIL PROTECTED] wrote: > Randy Barlow <[EMAIL PROTECTED]> writes: > > [EMAIL PROTECTED] wrote: > >> I mean if > >> you connect it to any machine in the diagram or elsewhere wouldn't you > >> be exposing that machine to the unfiltered internet? > > > > I think that's the idea here - to see the difference between the two > > sides of the router. > > If that is the case then I guess I don't see how the quote below > applies. From Mick in his initial reply: > > A rather simpler solution to do this would be to get hold of hub, > > connect it to the firewall and watch everything that passes through > > it.
Your network diagram in the previous post is exactly what I was thinking and proposing. What you are not showing is the link from your gentoo box to the hub. Then you capture that packets that flow through with a suitable application. Have a look at the penultimate diagram at the bottom of this page: http://www.mynetwatchman.com/pckidiot/ethernet.htm > I relize you are not who made the reply I quote above but: > > If you still have to come up with a hardened interface to the hub then > how is it simpler? I am not totally convince that a 'particularly' hardened interface is necessary. A second NIC with suitable firewall rules, or a virtual NIC on ntop should suffice for you to capture the packets flowing through the hub into a log file. You could even go as far as creating VLANs to seperate the two, but I am not sure that this is necessary. I mean it is not as if you are going to create a bridge between a trusted interface and this hub facing interface, right? Of course you would not be running e.g. tcpdump as root in real time so the risk of exposure (as I understand it in this context) is minimal, but others may want to comment. nprobe or fprobe could capture the packets both on the Gentoo machine and on a WinXP machine and save them on file(s), and/or send them to ntop as NetFlow . Perhaps others can comment further on similar suitable software and ways to set all this up. > Further, since the router is switched then you'd really need two hubs. > One on each side, if the aim were to compare what is coming and what is > getting thru. So we're getting further and futher away from `rather > simpler' Sure, you can add a second hub and so increase complexity, or use nprobe or the log files of the machines on the LAN side to see what actually gets through. I am not sure if you want to run this long term and automate all of this capture and reporting into graphical formats (e.g. using rddtool), set up a dedicated machine just for this purpose, or if you just want to test particular connections in an ad hoc fashion to see why/how particular connections behave. > Come up with the hardened interface and forget the hub[s]. As I said > my router offers to send all the bounced traffic to a designated DMZ. > > I am probably not interested enough right now to build up a whole > different machine to talk to the hub or be the DMZ. So if you are > pretty convinced doing it from a VMgentoo appliance running on one of > the win boxes then I'll probably just keep fiddling around with the > logs produced by the router. > ... Thanks I just saw the installation of vmware and the generation of a virtual image as more involved than what I suggest above. Using the raw logs from the router and filtering/sorting these through a spreadsheet would probably make them easier to read. Anyway, what ever works better/easier for you. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
