Set the network interface of IPFire to promiscuous mode

seira · 27 September 2024 03:27

How can I set the network interface of IPFire to promiscuous mode, and which configuration file should I modify? Thank you.

pike_it · 27 September 2024 06:44

I was aware that promiscuos mode was a “virtualizer” thing, not a firewall one…

seira · 27 September 2024 07:46

I want to use Suricata to receive mirrored traffic from the switch for monitoring network threats. SO， I must set the network interface of IPFire to promiscuous mode

bonnietwin · 27 September 2024 08:03

Run the command
ip link set green0 promisc on
and it will set promiscuous mode on the green0 nic.

You can confirm this by running netstat -i and it will show the flags for all interfaces. By default green0 will have flags BMRU. After running the above command it will be BMPRU

and you can turn it off again by running
ip link set green0 promisc off

seira · 27 September 2024 09:28

Thank you! Suricata needs to modify which configurations? I have changed the interface mode, but IPFire is not generating IDS logs.

bonnietwin · 27 September 2024 09:45

Have you added ruleset providers to your IPS page and selected rules within them?

Have you enabled the Intrusion P{revention System and Enabled the green interface?

Is the IPS status on the WUi page green and running?

If all the above are yes then any rules that are triggered will be logged. If nothing is showing in the logs then nothing has triggered it yet.

You can test it by running an nmap scan from outside your IPFire machine and it will trigger logs with Emerging Threats ruleset provider selected and if you have the emerging-scan.rules selected.

sudo nmap -v ip_or_fqdn_of_ipfire_system

seira · 27 September 2024 09:52

The IPS works normally in inline mode and generates logs. However, when receiving mirrored traffic from the switch in bypass mode, there are no logs. The green0 interface has already been set to promiscuous mode.

bonnietwin · 27 September 2024 09:58

Well then I can’t help you further.

I have never tried to do what you are doing. I just searched on how to change a nic to promiscuous mode.

I presume that you have set any switch in your network also to promiscuous mode and that you are deliberately sending out bad packets from a computer on the green network that should trigger some of the IPS rules that you have set.

Beyond that I have no further idea.