On 9/14/2012 9:35 AM, [email protected] wrote: > Hello, > I would like to verify the order in which incoming packets are processed > by pfSense. Currently I have two pfSense**2.0.1-RELEASE boxes in a > fail over setup. Both boxes have Snort installed. > My "assumptions" are: > 1) Packets are evaluated by firewall rules first > 2) Packets are then seen by Snort (based on the fact that I am only > currently running Snort on the WAN interface) > 3) NAT Tables are evaluated > 4) Packets are sent to DMZ web servers. > > My question is, are these assumptions correct? If not could someone > please post the corrected order? > > Sound reasonable or am I missing the mark completely?
You have it almost completely backwards. At least 1-3 are :-) It really goes: 1. Packets come in on the wire - things listening on the NIC in promisc or similar, like tcpdump or snort, see things here 2. NAT is processed 3. Firewall rules are processed - so if NAT applied (port forward, etc), you filter on the NAT translated address as the destination. 4. Packets are routed by pf or the OS depending on whether or not the rule had a policy routing gateway set. Then steps 3,2,1 on the way out the other interface, if applicable (outbound floating rules, outbound NAT, and then tcpdump would see what is "on the wire". Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
