From owner-freebsd-security  Wed Nov 21 13:26:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtpzilla3.xs4all.nl (smtpzilla3.xs4all.nl [194.109.127.139])
	by hub.freebsd.org (Postfix) with ESMTP id EF12937B416
	for <security@FreeBSD.ORG>; Wed, 21 Nov 2001 13:26:22 -0800 (PST)
Received: from trantor.xs4all.nl (trantor.xs4all.nl [194.109.61.248])
	by smtpzilla3.xs4all.nl (8.12.0/8.12.0) with ESMTP id fALLQFhd003105;
	Wed, 21 Nov 2001 22:26:16 +0100 (CET)
Received: from trantor.xs4all.nl (localhost [127.0.0.1])
	by trantor.xs4all.nl (8.11.6/8.9.3) with ESMTP id fALLQE606054;
	Wed, 21 Nov 2001 22:26:14 +0100 (MET)
	(envelope-from paulz@trantor.xs4all.nl)
Message-Id: <200111212126.fALLQE606054@trantor.xs4all.nl>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Kris Kennaway <kris@obsecurity.org>
Cc: Paul van der Zwan <paulz@trantor.xs4all.nl>,
	security@FreeBSD.ORG, paulz@trantor.xs4all.nl
Subject: Re: ipfw and snort 
In-Reply-To: Message from Kris Kennaway <kris@obsecurity.org> 
   of "Wed, 21 Nov 2001 12:55:22 PST." <20011121125522.A17380@xor.obsecurity.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 21 Nov 2001 22:26:14 +0100
From: Paul van der Zwan <paulz@trantor.xs4all.nl>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> On Wed, Nov 21, 2001 at 09:02:57PM +0100, Paul van der Zwan wrote:
> > 
> > I would like to run snort on my ppp link to my ISP to see what people are
> > trying, but I also have a set of ipfw rules to allow only the traffic I
> > want to allow.
> > Is there a way to have those rules in place but still have snort see all 
> > incoming packets including those running into the deny rules ??
> 
> Yes, this is how it works always.

I did some testing using ethereal and when I try an incoming telnet (which 
is  denied by ipwf) I don't see any packets arriving ( or ICMP going).
This make me suspect that bpf processing takes place after ipfw..

	Paul

-- 
Paul van der Zwan		paulz @ trantor.xs4all.nl
"I think I'll move to theory, everything works in theory..."



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message