Re: [Snort-inline-users] Freebsd and IPFW and IP header checksums

[Christopher B. <bla...@um...>]

Ahhh, what a way to join the list.  I am using snort_inline 2.2.0a, and
the information below is still accurate.  However, I didn't realize the
test.rules set was modifying both DNS and ICMP packets.  Commenting out
those rules, snort_inline is working just as it should.

Would it be useful to produce diff patches for my changes for
snort_inline 2.2.0a on FreeBSD 5.3?

On Thu, 2004-12-30 at 08:38, Christopher Black wrote:
> Hello list,
> 
> I am using snort_inline on FreeBSD 5.3 with IPFW, and after fixing the
> following (line 184 used to be in the ndef block) in snort.h:
> 
>     179 #ifndef IPFW
>     180     char layer2_resets;
>     181     u_char enet_src[6];
>     182 #endif
>     183 #ifdef IPFW
>     184     char log_bad_checksums;
>     185     int divert_port;
>     186 #endif /* USE IPFW DIVERT socket instead of IPtables */
> 
> It will compile, but drops every packet.  I traced that back to checking
> the IP header checksum, and based on the comment leading that block
> (that the check is mostly unneeded), I just commented out the line to
> call InlineDrop().  Now it's not dropping the packet there, but still
> seems to be dropping it somewhere.
> 
> Has anyone else run into and/or fixed this?  I will continue hunting,
> but look forward to your input!
-- 
Christopher Black <bla...@um...>