If, for example, we wanted to send a copy of everything going out the xl3
interface off to our drop-safe network on ed0, we would use this rule in our
pass out on xl3 dup-to ed0 from any to any
You might also have a need to send the packet directly to a specific IP address on your drop-safe network instead of just making a copy of the packet out there and hoping for the best. To do this, we modify our rule slightly:
pass out on xl3 dup-to ed0:192.168.254.2 from any to any
But be warned that this method will alter the copied packet's destination address, and may thus destroy the usefulness of the log. For this reason, we reccomend only using the known address method of logging when you can be certain that the address that you're logging to corresponds in some way to what you're logging for (e.g.: don't use "192.168.254.2" for logging for both your web server and your mail server, since you'll have a hard time later trying to figure out which system was the target of a specific set of packets.)
This technique can be used quite effectively if you treat an IP Address on your
drop-safe network in much the same way that you would treat a Multicast Group on
the real internet. (e.g.: "192.168.254.2" could be the channel for your http
traffic analysis system, "18.104.22.168" could be your channel for telnet
sessions, and so on.) You don't even need to actually have this address set as an address
or alias on any of your analysis systems. Normally, your ipfilter machine would need to
ARP for the new destination address (using dup-to ed0:192.168.254.2 style, of
course) but we can avoid that issue by creating a static arp entry for this "channel"
on our ipfilter system.
In general, though, dup-to ed0 is all that is required to get a new copy of
the packet over to our drop-safe network for logging and examination.