Thibodeau, Jamie L.
2005-Mar-30 15:56 UTC
RE: Shorewall and an inline IDS(snort-inlineorhogwash)
Plus I would like to let you know that it works like a charm. Snort can now see those packets. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Thibodeau, Jamie L. Sent: Wednesday, March 30, 2005 9:25 AM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Shorewall and an inline IDS(snort-inlineorhogwash) You are awesome!!!! -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, March 30, 2005 9:11 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall and an inline IDS (snort-inlineorhogwash) Tom Eastep wrote:> Thibodeau, Jamie L. wrote: > >>I made an atempt to run snort_inline and shorewall on the same system >>but I could not get snort to see the packets. >> >>Maybe someone with a little more iptables knowledge could tell me what>>I''m doing wrong or if its possible to have the systems setup so that >>it places packets that the firewall would allow into QUEUE. >> > > > There is no way to do that currently with Shorewall. >However, it only took a few lines of code to make it possible. In CVS (Shorewall/) you will find a ''firewall'' script that allows QUEUE as a policy in /etc/shorewall/policies. That, together with the QUEUE action in the rules file, should allow you to do what you want. The change is based on version 2.2.2 and will be included in 2.2.3 which will come out in a couple of weeks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 30 Mar 2005, Thibodeau, Jamie L. wrote:> Plus I would like to let you know that it works like a charm. > > Snort can now see those packets. >I assume that Snort only needs to see new connection requests since those are the only packets that are subject to rules and policies. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net