Firewall/NAT

I would like to set my 3rd NIC as a mirror port / span port to be able to sniff outgoing trafic to check for un-encrypted data. I have searched around a bit and found these two methods:

<span>
   <descr>SPAN</descr>
   <if>xl2</if>
   <enable/>
</span>
Under the <interfaces> tag. This causes the NICs type to be SPAN, but can not be found under the interface settings list, or firewall etc. (and no data is sent on the NIC) [ Found at http://m0n0.ch/wall/list/showmsg.php?id=191/47 ]

Also that running ifconfig <src nic> span <target nic> from exec.php, but this returns ifconfig: span: bad value [Found at http://forum.m0n0.ch/index.php/topic,2343.0.html ]

What am I doing wrong?

Thanks!

//Johannes

[ P.S.  I don't want to use a hub]

The first post references a patched build of 1.2 and only applies if you are running that image or have applied his patch. If you want to try running from exec.php the syntax (assuming 1.3beta) is here: http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+6.3-RELEASE&format=html
Span is only valid for a bridged interface, so you would need to bridge xl2 with your target NIC first.

Ah, Thanks! I have now updated to 1.3b15, and the system working as it should. I've bridged (using the GUI) my LAN (xl1) with "Mirror" (xl2). In exec.php I send ifconfig xl1 span xl2, which returns ifconfig: BRDGADDS xl2: Invalid argument... Do I have to bridge them in another way, or whats going on?

//Johannes

Per the man page:
span interface
        Add the interface named by interface as a span port on the
        bridge.  Span ports transmit a copy of every frame received by
        the bridge.  This is most useful for snooping a bridged network
        passively on another host connected to one of the span ports of
        the bridge.

The command would just be ifconfig span xl2
That should turn on xl2 as a span/mirror port of the bridge.

Running: ifconfig span xl2
Returns: ifconfig: interface span does not exist

I think I have to send two interfaces... Or maybe I can send a bridge?

I've never worked with much *nix as you can see...

Thanks,

//Johannes

Sorry, I wasn't looking at the full syntax. You need to run the command on the bridge interface. eg- ifconfig bridge0 span xl2

There doesn't seem to be any obvious bridge under ifconfig. By just running ifconfig I can see the status of xl0, xl1, xl2, loopback and enc0 (which I don't think is the bridge).  It seems i could run ifconfig bridge0 create and in some way specify what NICs to bridge, but the GUI created bridge is working fine...

Also, once I create the mirror port, is there any way to make it ignore incoming packets from it? (so that it can't be used as a bridge to the LAN)

Thanks!

//Johannes

Upon looking into this, m0n0wall is using kernel bridging http://www.freebsd.org/cgi/man.cgi?query=bridge&apropos=0&sektion=0&manpath=FreeBSD+6.3-RELEASE&format=html
and not if_bridge. The ifconfig bridge code was added in FreeBSD 6 and 6.x has both methods available. You might be able to remove the GUI bridge and do the whole thing via exec.php:
ifconfig bridge0 create
ifconfig bridge0 addm xl1 span xl2 up

That completes without errors, but no data seems to be sent on the mirror port... Running ifconfig bridge0 returns:

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether ae:ae:63:cb:34:da
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: xl1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
   member: xl2 flags=8<SPAN>


Any ideas on whats wrong?

Thanks for helping me with this,

edit:
I also noticed that after restarting m0n0wall it lost the custom settings, how can I make it remember them?
//Johannes

You probably need to tweak the bridge sysctls.
From exec.php try:
sysctl net.link.bridge
Try setting any syctls that return 1 to 0. A value of zero disables filtering.
As for rebooting, you might be able to use the hidden xml commands to script the whole thing. http://doc.m0n0.ch/handbook/faq-hiddenopts.html

Thanks, I changed some things in sysctl so now running sysctl net.link.bridge returns:

net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0

But there still seems to be something wrong... At first I thought maybe it should be bridge0, but that does not exist for sysctl it seems... I'm also wondering what the GUI should be set to... Right now my mirror NIC is visble in the Interfaces:assign list, but under Interfaces:Mirror I have not checked the "Enable Optional 1 interface". Which I don't have to since its bridged via ifconfig right?

Thanks again for the help,

//Johannes

Umm... Bump?

I would still like to create a span port if possible, and I think it would be a good thing to have in the documentation.

Bump..

Johannes,

Thank you for this thread. I've been using a Barracuda networks tap but wanted to use spanning instead to feed my IDS off m0n0wall. I was able to get it passing some traffic from your info. It seems to be duplicating traffic because I'm getting all the alerts twice on my IDS but that's probably something that can be resolved.

I still need to experiment but heres all I did:

Used exec.php to run these commands:
ifconfig bridge0 create
ifconfig bridge0 addm xl1 span xl2 up
ifconfig xl2 up

Are you using crossover (aka null) cat5 cable on the span port? This won't work with a straight through cable for me.

Heres an shot of my ifconfig output for a working span/mirror setup:

sis1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
   options=8<VLAN_MTU>
   inet 10.X.X.1 netmask 0xffffff00 broadcast 10.X.X.255
   inet6 fe80::200:24ff:fec4:ca65%sis1 prefixlen 64 scopeid 0x2
   ether 00:00:24:c4:ca:65
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
sis2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
   options=8<VLAN_MTU>
   inet6 fe80::200:24ff:fec4:ca66%sis2 prefixlen 64 scopeid 0x3
   ether 00:00:24:c4:ca:66
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether 26:70:16:25:5c:d0
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: sis1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
   member: sis2 flags=8<SPAN>

Food for google searches: This is similar to creating a monitor session on a cisco switch.

Continuing down the path of creating a monitor port...

Since my last post, its been working well feeding snort and wireshark and I'd like to add the following hints for executing the commands at boot.

Download your xml config and add the following to the SYSTEM section:

<shellcmd>ifconfig bridge0 create</shellcmd>
<shellcmd>ifconfig sis2 up monitor</shellcmd>
<shellcmd>ifconfig bridge0 addm sis1 span sis2 up</shellcmd>

Double check your work and restore your manually modified xml config and the commands get exec'd at boot.

At this point I'm trying to figure out how to get rid of the stray errors in the Firewall log for the bridge0 interface. I tried creating an OPT2 heading under interfaces and setting rules for that interface to pass all but still packets are being logged.

Does anyone have any thoughts on this?

My first post on this forum, I am able to get span port working following the above instructions by Scott99e99. One thing I'd like to add here is that it only works for LAN interface not WAN! I spent 2 days try to get it working with WAN but never succeeded hehe.

In my case the following is what I did to make a span port:


My configuration:

m0n0 version: 1.3b18
WAN: rl0
LAN: rl1
OPT1: rl2  (the third nic)

Steps:

ifconfig  bridge0 create
ifconfig  bridge0 addm rl1 span rl2 up
ifconfig rl2 up   

also scott is right with crossover cable.