lists_shorewall wrote:
Has anyone used the Snort inline functionality with Shorewall?
I haven't
How do I modify that rule to pass the packets to Snort inline for inspection prior to being passed on to the webserver? Do I need two rules? One to send to Snort inline and then another subsequent rule to forward to the webserver? I'm not clear on how packets are sent to Snort inline for inspection and then passed back to Shorewall in order (in my example) to be forwarded on to a webserver.
That question is a bit troubling as it implies that you think that Shorewall
handles packets. Shorewall (whether Shorewall-perl or Shorewall-shell)
results in a SHELL PROGRAM that configures your kernel; Shorewall itself
never touches a packet.
But back to your question...
A DNAT rule in Shorewall results it two equivalent rules. The following are
equivalent:
DNAT net dmz:10.100.0.4 TCP 80 - 206.124.146.180
DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180
ACCEPT net dmz:10.100.0.4 tcp 80 - 206.124.146.180
Notes:
1) your original rule is a little silly -- HTTP/<anything> implies 'tcp 80'
so it is redundant to repeat those elements)
2) in Shorewall-perl 4.2, you may omit the zone (dmz:) before the
destination DEST address in the DNAT- rule; in fact, the above DNAT- rule
will generate a warning.
So if you want to send the accepted packets to the QUEUE target, you just
code this:
DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180
QUEUE net dmz:10.100.0.4 tcp 80 - 206.124.146.180
BUT.... that pair of rules only determines what happens to THE FIRST PACKET
IN A CONNECTION to port 80. If you want to pass all incoming packets in a
connection to Snort Inline (high latency?) then you need to add the second
rule to the ESTABLISHED section of the rules file in addition to the NEW
section. That is required in order for Snort-inline to notice that the
remote criminals are trying to access 206.124.146.180/php.exe...
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
