[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Any one tell me about bpf ?



On Thu, Apr 10, 2003 at 12:38:47AM +0900, dreamer wrote:
> I think bpf is receive only copy. original is transfer!
> 
> Is this think is wrong?
bpf and pf are basically unrelated, only the name is similar. The packet
filter (pf) intercepts all (original) packets and decides whether to
pass or block them according to a ruleset.
There is some interaction between bpf and pf. For instance, incoming
packets will be dispatched through bpf before they are filtered by pf,
so you'll see all incoming packets on a pcap listener (like snort), even
if they are later blocked by pf.
A consequence is that pf can't protect pcap listeners from any traffic.
If you run snort listening on your external interface on the firewall
itself, it will see all packets. Some people prefer to run snort on an
internal interface (or even a different local machine), so it only sees
packets that actually pass the filter and make it into the local
network, so it only reports _successful_ (not just attempted) intrusion.
Daniel