Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » Using snort inline with APF firewall?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Using snort inline with APF firewall?


Posted by markus on March 07, 2005 20:46:37

My server will be dedicated to shared hosting. Running RHLE, Apache, MySQL, PHP, Exim, etc.

I'm using Snort for about 2 months or so. I'm about to start a small bussiness (my dream) and I'm currently testing and learning (hey, this is a never-ending story). Well, I'm also using APF (rfxnetworks firewall, it's an iptables front-end).

While testing I tried to enable the inline option in Snort and it worked great.

However, APF creates all the iptables rules and I don't know how could I touch it to make it work with Snort inline enabled.

I was trying to understand all the docs related to snort_inline, but they always talk about bridge/nat mode. Very difficult to translate to my needs. I do not forward, but process input/output chains only.

What I need is to touch the rules APF creates to make them enter the Snort inline queue.

My problem is I don't know how to do it. :-(

Sometime ago I posted this at the rfx forums, and Ryan said it was a very nice idea, etc. but I'm still waiting for a working answer. :-(

Can anyone help me figure out how could I adapt APF to Snort?

Any suggestions on how to use Snort inline with another? firewall on a server dedicated to shared hosting?

Thanks

Posted by bdinello on March 16, 2005 11:23:08

It sounds like your problem is more fundamental than making snort-inline work with APF. If I understand, you're trying to use snort-inline to protect all of the services on the box that snort is running on.

I don't know much, ok, anything about APF, but I'm pretty handy with iptables. Unless you have a legitimate need to use APF, I'd ditch it and learn iptables. In the end, you'll find it more usefull to have direct control over it.

At any rate, in theory this should be possible by setting you INPUT chain to DROP by default and your last rule in the INPUT chain should be an "iptables -A INPUT -j QUEUE" type rule. That will place all inbound traffic in the iptables queue where snort-inline will either drop it or let it pass.

You could also do the same thing with the OUTPUT table but you've covered the 80/20 rule with just the INPUT chain. Also, don't forget that iptables still grabs packets before snort does so you can take full advantage of all firewall features without puttng any additional load on snort.

In practice, I only use snort-inline in a more "inline" mode, so your mileage will surely vary.

Let us know how far you get,
-B
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.