[Firehol-support] Re: snort and firehol: can they co-exist peacefully?

Daniel Pittman daniel at rimspace.net
Tue Aug 3 10:36:28 BST 2004


On 3 Aug 2004, R. G. Cottrell wrote:
> Daniel Pittman wrote:
>> On 3 Aug 2004, R. G. Cottrell wrote:
>>
>>> I'm running a Debian GNU/Linux system (2.4.18 kernel) and I'd like to
>>> know whether firehol and snort can work together peacefully.

[...]

> Thanks, Daniel. It is now clear to me that the intrusion detection that
> snort does is quite distinct from actually protecting the machine as
> firehol does.

No problem. :)

> This raises another question, though - whether snort reports on
> incoming packets before they hit the firewall or after, but I guess
> that's a question for the snort support people (or preferably a
> Reading of The Fine Manual).

Before, as a general rule. It samples raw packets, prior to the network
stack getting its hands on them, and so prior to the firewall rules.

So, expect to see reports for many things that couldn't possibly get to
your system. 

        Daniel
-- 
Sufficiently advanced cluelessness is indistinguishable from malice.
        -- Bill Seitz





More information about the Firehol-support mailing list