But won't this block the traffic we're attempting to log? No, both Argus and tcpdump insert themselves beneath ipf, gathering all the packets and flows before ipf blocks the traffic.
The Darknet server is now configured with SSH on TCP 22 and an Argus remote flow collection port on TCP 2002. Both should be configured to bind only to the MGMT NIC, not the SNIFFER NIC. These should also be protected using ipf. Remember we are managing this device out of band from the Darknet network.