[Snort-users] snort behind firewall - good?

Martijn Heemels martijn at ...1873...
Sun Apr 22 11:54:03 EDT 2001

Hash: SHA1

> This should work. I have never tried it.  If you're using ipchians
> or iptables, these live in kernal space, and libpcap will capture
> the packets before the firewall gets an opportunity to see them.

> > this maybe obvious to all of you but i just want to find out if
> > it's advisable to install a firewall in the same box as snort is
> > installed. 
> will
> > i be missing things if i do it this way like portscans and all
> > that?  

Hi, I'm running ipchains on a home gateway with both snort and
portsentry as second level defenses.
In my personal experience ipchains has first priority, and blocks
anything unwanted, before allowing snort or portsentry to see the
I have even purposely opened some ports so that portsentry can detect
scans on them and block the ip's completely.
Snort has for example not logged any attempts by recent worms, until
I brought down the firewall. Almost immediately both snort and
portsentry started giving alerts about attempts on port 111.

So, Dotslash, it is very well possible, and if you have limited
resources (i.e. cash) you can make one machine do a lot. If you have
the ipchains firewall locked down pretty well, you won't see much
happening in the snort and portsentry logs, but in my opinion that's
a good thing, and if someone happens to break through the firewall,
there's still snort to tell me about it, and portsentry to throw them
out the door.

Since my internal masqueraded LAN network is left a lot more 'open'
by ipchains, snort is showing a lot more stuff on that side. This
allows me to monitor the LAN for strange traffic. My LAN is trusted
enough, so I don't have to firewall that side as much. Snort will do
just fine.

Hope this helps,


- -- 
M. Heemels
Eindhoven, NL
martijn at ...1736...
student :: webdesigner

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


More information about the Snort-users mailing list