Gotcha And it is snorting on fxp0 external interface xl0 is the internal interface when I first noticed this I thought that was the issue and double checked it.
> > edo> (...) it seems if I create a rule to let a specific packet through > edo> the firewall then snort see's it if I block it. Then it never gets > edo> logged by snort. So I am totally confused and pulling out my hair. > edo> I have posted my snort configs to the snort list and no one see's > edo> anything wrong with it. > > Are you sure that you snort on the right (=correct) side of your > firewall. i.e. does the traffic you block arrive at the interface you > are snorting on? On a plain two legged router you can snort on if0 all > traffic that comes from the network connected to if0 and on if1 you can > snort all traffic that comes from the network that is connected to if1! > > If you have your LAN on if0 and "the internet" on if1 you can see all > traffic originating *from* the internet on if1 (regardless your pf > rules) and all traffic *from* the LAN on if0. Obviously a packet from > your LAN blocked by pf won't show up on if1!!! (and the other way round) > > -- > Best regards, > Max mailto:[EMAIL PROTECTED] > >
