Would it be possible to setup a inline firewall, inline IDS (snort), and a stealth syslog server all on one box? I've read how to create a steath syslog server by having snort capture traffic destined to a unused IP and having it passed to the syslog daemon, but could you do that and have snort running in IDS mode? Having a box acting as a firewall, IDS, and syslog server all completely undectectable since it doesn't have a IP would be very very cool

You could configure a snort signature to just listen for traffic to a specific IP on the syslogd port, so yes you could easily do all that on one box and still have fully functional snort.

Forgive me for asking this....but,

What exactly is the purpose of this box? I'm fairly new to linux, but this sounds cool. What is it used for?

Thanks, it should be interesting seting that up.

Unfortunately i just found out that you can't use NAT with a stealth, transparent, inline, bridging, layer-2 firewall (i think EIA/TIA needs to standardize a name for this). You can use NAT with it but you would have to have a public IP address which would defeat its purpose. Anyone know why you can't keep it stealthy and use NAT?

It would act as both a Intrusion Detection System, and a syslog server where all the PC's on your network could send their logs too. Since this box wouldn't have an IP address it wouldn't be impossible to hack remotely. I believe the worest thing it could be vulnerable to is the crashing of snort if a new vulnerability is discovered. I'm pretty sure a vulnerability like that has been discovered and patched a while ago but by keeping snort updated it shouldn't be a problem...

Apparently you can't have a transparent firewall if your going to be using NAT. I'm assuming that is the reason why transparent firewalls aren't as popular as i thought they should of been... Its pretty disapointing, this had a lot of potential. If anyone knows of a way to have a transparent firewall with NAT please let me know.

How can you use NAT with what is essentially a layer-2 device? It's operating at the link-layer, not at the network layer. NAT uses IPs, which is layer-3 (network). As mentioned, you would need at least one IP to NAT the internal net to outside, and of course that would defeat the purpose of being a bridging firewall.

Ahhhh so you can have a NAT'd network, you just can't run NAT on the same box as the transparent firewall?

It seems like every site i've been to that talks about transparent firwealls mentions that you can't use NAT with it. If you just can't have NAT on the firewall then thats not a big deal at all...

I don't understand why transparent firewalls aren't more popular. I would think a firewall that can't be hacked would become standard pretty quickly. Instead the most popular way now to make your firewall hackproof seems to be to use a bootable CD, but that can still be hacked... it would be fixed as soon as you reboot, but by then it would probably be to late...

Well theoretically it can still get cracked. Someone already mentioned taking advantage of Snort, or possibly tcpdump or Ethereal if you're running either of those to check traffic. Also, although it doesn't have an IP it does have hwaddrs, so someone particularly clever can still attack you using your MAC addr. After all, there has to be some way of getting traffic to it to inspect (for the packet filter) so there is also a vector for malicious traffic as well.

In any case, I suspect the main reasons are as follows: a) it requires roughly double the hardware (probably will need one NAT device per firewall), b) it's more complicated, network administrators don't like complications c) most firewall compromises are because of bad rules, not insecure platforms; in fact most of the time it's not the firewall that got compromised at all, someone just found a way through it to their end target.

Good points, thanks