Shorewall users - Jun 2005 - shorewall and snort inline

hello list,

i''ve set up shorewall and snort inline on a linux box. it works, but
snort only sees traffic from new connections. and this is because
shorewall automatically generates rules to accept established and
related connections. how can i force shorewall to queue everything, so
that snort can scan the hole traffic like in IDS mode. The setup i have
now is really simple, just 2 zones (loc and net). Here are the parts i
think there are important :
rules:
QUEUE	all	all	all

and policy:
loc	all	QUEUE
net	$FW	DROP
net	loc	QUEUE
$FW	all	QUEUE

if you need more info, just tell me, but i think the problem is known.

thx and greetings
Lars

Lars wrote on 15/06/2005 13:00:59:
> hello list,
> 
> i''ve set up shorewall and snort inline on a linux box. it works,
but
> snort only sees traffic from new connections. and this is because
> shorewall automatically generates rules to accept established and
> related connections. how can i force shorewall to queue everything, so
> that snort can scan the hole traffic like in IDS mode. The setup i have
> now is really simple, just 2 zones (loc and net). Here are the parts i
> think there are important :
> rules:
> QUEUE   all   all   all
> 
> and policy:
> loc   all   QUEUE
> net   $FW   DROP
> net   loc   QUEUE
> $FW   all   QUEUE
> 
> if you need more info, just tell me, but i think the problem is known.
> 
Yes, it is known and there is some old threads in the mailing list 
discussing it.
Take a look at
http://lists.shorewall.net/pipermail/shorewall-users/2005-March/017748.html

hope it helps,


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606