Menu
▾
▴
Re: [Shorewall-users] shortewall and snort_inline question.
|
From: Tom E. <te...@sh...> - 2006-01-13 14:51:09
|
On Friday 13 January 2006 06:36, Michael W Cocke wrote: > > So I guess I need to know under what circumstances a packet is routed > to QUEUE - every packet, or just the first packet of a series of > transactions? and if the latter, is there a way to change it? What the Snort-inline developer said is true of Shorewall versions prior to= =20 3.0.=20 In 3.0, it depends on which section of the rules file you put your rule in.= If=20 you put it in the NEW section then it applies to only the initial packet in= a=20 conversation. If you put it in the ESTABLISHED section then the rule applie= s=20 to all packets in the conversation EXCEPT the first one. And finally, if yo= u=20 put it in the RELATED section then it applies to the first packet in a=20 conversation that is related to an existing ESTABLISHED connection (ICMP=20 packets related to a session, first packet in an FTP data connection, etc). =2DTom =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |