On 9/14/2012 10:11 AM, Vincent Hoffman wrote: > On 14/09/2012 15:02, Jim Pingle wrote: >> On 9/14/2012 9:35 AM, [email protected] wrote: >>> Hello, >>> I would like to verify the order in which incoming packets are processed >>> by pfSense. Currently I have two pfSense**2.0.1-RELEASE boxes in a >>> fail over setup. Both boxes have Snort installed. >>> My "assumptions" are: >>> 1) Packets are evaluated by firewall rules first >>> 2) Packets are then seen by Snort (based on the fact that I am only >>> currently running Snort on the WAN interface) >>> 3) NAT Tables are evaluated >>> 4) Packets are sent to DMZ web servers. >>> >>> My question is, are these assumptions correct? If not could someone >>> please post the corrected order? >>> >>> Sound reasonable or am I missing the mark completely? >> You have it almost completely backwards. At least 1-3 are :-) >> >> It really goes: >> 1. Packets come in on the wire - things listening on the NIC in promisc >> or similar, like tcpdump or snort, see things here >> 2. NAT is processed >> 3. Firewall rules are processed - so if NAT applied (port forward, etc), >> you filter on the NAT translated address as the destination. >> 4. Packets are routed by pf or the OS depending on whether or not the >> rule had a policy routing gateway set. >> >> Then steps 3,2,1 on the way out the other interface, if applicable >> (outbound floating rules, outbound NAT, and then tcpdump would see what >> is "on the wire". > This may also be useful although it only handles it once it hits pf, ie > about step 2 here. > http://www.benzedrine.cx/pf_flow.png
Yep. Also I had the last bit wrong there, on the way "out" the NAT still happens before the firewall rules, so it isn't completely in reverse of the way in. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
