From owner-freebsd-questions Fri Jan 12 8:43:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 6BDB637B6A3 for ; Fri, 12 Jan 2001 08:43:17 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.9.3/8.9.3) with ESMTP id NAA40732; Fri, 12 Jan 2001 13:46:14 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Fri, 12 Jan 2001 13:46:14 -0300 (ART) From: Fernando Gleiser To: Mark Rowlands Cc: freebsd-questions@FreeBSD.ORG Subject: Re: what happens first when ipf / snort reject packets In-Reply-To: <01011122293900.01277@web1.tninet.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 11 Jan 2001, Mark Rowlands wrote: > I have finally switched my home gateway from NT to FreeBSD woohoo!. and I > got a job so its been a good day already, however :- > > I am running 4.2 stable with ipf and ipnat and with snort enabled on the > external interface. > > Stupid question I guess, but which takes precedence, if ipf blocks a packet, > does this mean snort never sees it? I guess tomorrow I will put the gateway > on a hub and check this out but it would be nice if anyone knows this and can > tell me before I go to bed and stop me lying there thinking about it:-) Snort sees all the packets, regardless of wether ipf blocks it or not. That is because snort uses bpf(4), which is at a lower level than ipf. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message