2

I want to use the the new NetBSD's NPF firewall on a gateway that also has the legal obligation to log the traffic for 1 year. To offload the gateway, I though to put the logging stuff (and IDS, quota management, ..) on another machine (probably on Debian).

I though of 2 solutions to do so :

  1. recopying the traffic to the other machine

Unlike FreeBSD and OpenBSD, I'm not sure if NetBSD is able to setup this king of port, and if it is, I don't know how. http://man.netbsd.org/bridge.4 indicates

The bridge driver currently does not support snooping via bpf(4).

but in an older version it was

The bridge driver currently does not support snooping via bpf(4) or transparent filtering.

So maybe there's a way, but I don't know where to start, any help ?

  1. run tcpdump on the NetBSD machine and continuously sync the log file with the analyse machine

But how ? It has to be reliable and adapted to network log file (ie continuously written).

Kimmo Suominen
  • 60
  • 6
u91317
  • 152
  • 1
  • 1
  • 7

1 Answers1

1

I'm assuming this machine has an additional 'admin' network port in addition to the ports used for routing traffic?

npf.conf(5) mentions:

 procedure "log" {
         # Note: npf_ext_log kernel module should be loaded, if not built-in.
         # Also, the interface created, e.g.: ifconfig npflog0 create
         log: npflog0
 }

which implies you should be able to add an appropriate log line to "log" a copy of all traffic to the admin port

abs
  • 11
  • 1