Date: Wed, 21 Nov 2001 22:26:14 +0100 From: Paul van der Zwan <paulz@trantor.xs4all.nl> To: Kris Kennaway <kris@obsecurity.org> Cc: Paul van der Zwan <paulz@trantor.xs4all.nl>, security@FreeBSD.ORG, paulz@trantor.xs4all.nl Subject: Re: ipfw and snort Message-ID: <200111212126.fALLQE606054@trantor.xs4all.nl> In-Reply-To: Message from Kris Kennaway <kris@obsecurity.org> of "Wed, 21 Nov 2001 12:55:22 PST." <20011121125522.A17380@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, Nov 21, 2001 at 09:02:57PM +0100, Paul van der Zwan wrote: > > > > I would like to run snort on my ppp link to my ISP to see what people are > > trying, but I also have a set of ipfw rules to allow only the traffic I > > want to allow. > > Is there a way to have those rules in place but still have snort see all > > incoming packets including those running into the deny rules ?? > > Yes, this is how it works always. I did some testing using ethereal and when I try an incoming telnet (which is denied by ipwf) I don't see any packets arriving ( or ICMP going). This make me suspect that bpf processing takes place after ipfw.. Paul -- Paul van der Zwan paulz @ trantor.xs4all.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111212126.fALLQE606054>