From owner-freebsd-questions@FreeBSD.ORG Tue Aug 26 18:00:36 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD3CE16A4BF for ; Tue, 26 Aug 2003 18:00:36 -0700 (PDT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3944A43FBF for ; Tue, 26 Aug 2003 18:00:35 -0700 (PDT) (envelope-from freebsduser@comcast.net) Received: from comcast.net (12-225-141-88.client.attbi.com[12.225.141.88](untrusted sender)) by comcast.net (sccrmhc11) with SMTP id <20030827010034011006kmdqe> (Authid: animotions); Wed, 27 Aug 2003 01:00:34 +0000 Message-ID: <3F4C02A6.2060302@comcast.net> Date: Tue, 26 Aug 2003 18:00:22 -0700 From: K Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lowell Gilbert References: <3F4AD0BA.7050201@comcast.net> <448ypgvd0q.fsf@be-well.ilk.org> In-Reply-To: <448ypgvd0q.fsf@be-well.ilk.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: IPFW & ICMP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 01:00:36 -0000 Lowell Gilbert wrote: > K Anderson writes: > > >> I figure >>that the firewall should block the traffic first so as to prevent >>ruled traffic from coming in and then, in my thinking, snort shouldn't >>see it. >> >>Hopefully somebody might have an explanation with the why's and how >>comes one way or the other. > > > Your way would rule out sniffing of third-party traffic. So then it is normal behaviour for snort to see the packets then get to the firewall and then be processed? I'm up to 10K+ Cyberkit 2.2 packets in a 24 hour period.