For years I've wanted to have a PC with a pair of network cards that I can use to bridge between "the internets" and a suspected compromised PC. Ideally we can just truck this thing up and pull the network cable on a suspect machine, then plug the cable into one interface on this and another between this and the wall. Probably not the most efficient way to go about things, but an interesting thought experiment.

To that end, I've scrounged a P4 from our surplus pile. I already have a small supply of hard disks and a spare "disk tray" so that I can easily swap disks in and out of the machine. I also obtained a pair of gigabit NICs to use.

First thing to do is to make sure everything works. Flash the BIOS to 1007, and a Gentoo LiveCD sees all the hardware. That's good.

-- MikePatterson - 09 Feb 2006

I'm naming the machine lusankya.cscf, mostly so I can easily stick it on the network to get packages and such. I did a base install of FreeBSD 6.0 on a 160GB disk, using about 100GB and leaving the rest untouched. (I was thinking I might dual or triple boot it with Linux and maybe even... ugh... Windows. That'll come later.) em0 is the top NIC, how convenient, so I labelled it on the case. I installed portupgrade just to make life easy in the future. tcpdump comes with the OS.

-- MikePatterson - 10 Feb 2006

Other considerations: Richard Bejtlich recommends a separate partition to use for capturing network traces (he calls his /nsm). If netcat isn't installed, it probably should be. Ditto socat. We'll also probably want to consider a machine with PCI-X slots for the NICs if we ever want to do heavy-duty monitoring. Maybe a single dual-port PCI-X card would do the trick, with a second card (any speed) as an administrative interface.

-- MikePatterson - 08 May 2006

I obtained a third NIC for the machine, a DLink with a DEC chipset that comes up as de0. I'll set this up to dhcp, and then figure out how to enable bridging. de0 can be used as management interface for the machine, we'll assign private addresses to the machine.

Looking at if_bridge(4), there's some interesting sysctls:

     net.link.bridge.pfil_member  Set to 1 to enable filtering on the incoming
                                  and outgoing member interfaces, set to 0 to
                                  disable it.

     net.link.bridge.pfil_bridge  Set to 1 to enable filtering on the bridge
                                  interface, set to 0 to disable it.

It doesn't appear that one needs to frob these at all, but knowing of their existence could be useful: maybe we'll want to filter traffic going over the bridge during an investigation.

Set the following in /etc/rc.conf:

hostname=lusankya
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_em0="up"
ifconfig_em1="up"

I tested that, tcpdump on the bridge0 interface seems to give me what I want. My Windows workstation was able to DHCP and get its IP as usual, and I was able to surf normally. Of course, that will show all broadcast traffic in that bcast domain, so perhaps one would want to restrict tcpdump to capturing data only for that one host, ie tcpdump -i bridge0 -s 0 "host 10.0.0.1" or what-have-you.

Add ifconfig_de0="inet 192.168.15.1 netmask 255.255.255.0" to /etc/rc.conf.

/usr/local/etc/dhcpd.conf looks like this:

default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style none;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet 192.168.15.0 netmask 255.255.255.0 {
  range 192.168.15.10 192.168.15.20;
  option broadcast-address 192.168.15.255;
}

And add to /etc/rc.conf:

dhcpd_enable="YES"
dhcpd_ifaces="de0"

Leaving sshd_enable on all the time should be safe enough.

See also UsingTheBridgePC.