Shorewall users - Jan 2006 - shortewall and snort_inline question.

Tom and whoever else might know the answer - I''m still working on
getting shorewall and snort_inline in series, and the snort_inline
developer has a question that I don''t know the answer to (I''m
not even
sure I understand the question).

quote:

I am not totally sure, but i think only NEW traffic is passed the to
the QUEUE. As soon as it is ESTABLISHED, it will be ACCEPTed by the
above ''-A net2fw -m state --state RELATED,ESTABLISHED -j
ACCEPT'' rule.
But like i said, i''m not completely sure, so you better check the
shorewall support channels for that. If i am right, snort_inline will
hardly see any traffic, so then it is not so strange it doesn''t cause
alerts...

end quote.

So I guess I need to know under what circumstances a packet is routed
to QUEUE - every packet, or just the first packet of a series of
transactions?  and if the latter, is there a way to change it?

Mike-
--
If you''re not confused, you''re not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

On Friday 13 January 2006 06:36, Michael W Cocke wrote:
>
> So I guess I need to know under what circumstances a packet is routed
> to QUEUE - every packet, or just the first packet of a series of
> transactions?  and if the latter, is there a way to change it?
What the Snort-inline developer said is true of Shorewall versions prior to 
3.0. 

In 3.0, it depends on which section of the rules file you put your rule in. If 
you put it in the NEW section then it applies to only the initial packet in a 
conversation. If you put it in the ESTABLISHED section then the rule applies 
to all packets in the conversation EXCEPT the first one. And finally, if you 
put it in the RELATED section then it applies to the first packet in a 
conversation that is related to an existing ESTABLISHED connection (ICMP 
packets related to a session, first packet in an FTP data connection, etc).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key