[Snort-users] snort inline behavior
dev.null at ...9081...
Wed Nov 26 00:30:05 EST 2003
Update: I setup a local machine the same way (-j ACCEPT to -j QUEUE,
running snort_inline). Same problem. I watched everything coming into the
firewall like normal (I have some logging in the firewall), but no traffic
actually went anywhere, all connections to and through the box died.
I changed my iptables to -j accept_queue (a newly created empty chain)
instead of -j QUEUE and then appended -j QUEUE and -j ACCEPT to
accept_queue. Reloaded the iptables rules. Didn't do a thing any
different. My reasoning here is that perhaps packets that go to QUEUE only
get DROPed/REJECTed by snort_inline, but it doesn't actually ACCEPT anything
(that way multiple apps can read QUEUE and drop as appropriate).
So it appears that anything that goes down QUEUE never goes anywhere and
never does anything, even with snort_inline running.
More information about the Snort-users