From: Sandro P. <se...@gm...> - 2003-09-08 05:42:29
|
I adopted rc.firewall (which allows everthing in but limits everything out) to allow everything in AND out except what snort-inline has to block (this is ok for my intended setup to only block sessions belonging to worms e.g. ut leaving legal traffic on the same port untouched). BTW: I used the ebtables patch (it also includes bridge-nf, see ebtables.sourceforge.net) for 2.4.21 (used original of kernel.org) HTH, Sandro > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi guys, > > I searched hi and low, googled, etc. and have not found > an answer that explains > the situation I'm having. > > I built a Debian testing box, kernel 2.4.21 (vanilla) > with the bridge-nf patch, > snort-inline 2.0.1. The box is in bridge mode and I have > iptables rules that > QUEUE all the traffic I'm interested in. The issue I'm having is that > snort-inline never lets the traffic pass. I've even put in > pass rules for each > of the protocols (ip, tcp, udp, icmp). It did take a while > to realize that you > can't run snort-inline as snort and have the libipq work. > > > If I don't QUEUE the traffic then everything flows > through the bridge and my > other firewall rules work correctly. It's just when I start > QUEUEing and run > snort-inline. I've used the honeynet config files as a > template for snort.conf > but used the regular snort-inline rules. > > What happens to a packet that snort-inline doesn't > trigger on (drop, reject, > etc.)? Do I have to have anything extra in my firewall rules > other than the -j > QUEUE rule? > > Suggestions, feedback, etc. most welcome. > > Thanks, > > - -- > James A. Pattie > ja...@pc... > > Linux -- SysAdmin / Programmer > Xperience, Inc. > http://www.pcxperience.com/ > http://www.xperienceinc.com/ > > GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (GNU/Linux) > Comment: Using GnuPG with Debian - http://enigmail.mozdev.org > > iD8DBQE/WNY5tUXjwPIRLVERAqBWAJ0Y4GEyc/xk2M7iXMxKBzXZWZMYngCg1uPA > qNwVA25V6MEVho4nfwGTLGE= > =O1oh > -----END PGP SIGNATURE----- > -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -------------------------------------------------- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post |