iptables promisc mode

Magnus Månsson ganja at 0x63.nu
Wed Nov 15 21:27:48 CET 2006

> As long as the firewall machine that runs iptables is the gateway from 
> the lan to the internet and vice versa, this is already happening, 
> iptables sees all the traffic in both directions, and can act on it 
> was well, layer 4 and above.  Nothing to add, no patch required.  But, 
> to have details in the logs of what is passing requires that you build 
> and configure your rules properly, with log statements in your case 
> being well defined and covering a number of common protocol ports.  
> One issue you will face is that most of the traffic you are trying to 
> monitor, is not well defined nor restricted to any common ports, which 
> is whyyou have faced issues in preventing the traffic and even with a 
> layer 7 module.
> Plan on having at least one person devoted to nothing but monitoring 
> traffic and logs for sometime to get a handle on what your users are 
> abusing.
> Of course common theory is that this kind of abuse is best handled at 
> the HR level, a frewall is not the best place to hadle this kind of 
> policy issue.
> Thanks,
> Ron DuFresne
But since my firewall are two redundant Cisco Pix 515E I dont use any 
linux machine as a gateway, that's why I have the port mirroring in the 
routing switch. And the goal is not to stop the "abusing" in the 
firewall, only to detect and log it for later investigation when we feel 
like we have the need.

But thanks for the answer. .)

More information about the netfilter mailing list