Until now, we've been using the filter to drop packets. Instead of dropping them, lets
consider passing them on to another system that can do something useful with this
information beyond the logging we can perform with ipmon. Our firewall system, be it a
bridge or a router, can have as many interfaces as we can cram into the system. We can use
this information to create a "drop-safe" for our packets. A good example of a
use for this would be to implement an intrusion detection network. For starters, it might
be desirable to hide the presence of our intrusion detection systems from our real network
so that we can keep them from being detected.
Before we get started, there are some operational characteristics that we need to make
note of. If we are only going to deal with blocked packets, we can use either the to
keyword or the fastroute keyword. (We'll cover the differences between these two
later) If we're going to pass the packets like we normally would, we need to make a copy
of the packet for our drop-safe log with the dup-to keyword.