[Snort-users] $HOME_NET and $EXTERNAL_NET configuration problem

Marco Stolpe x25ugip1 at ...10061...
Thu Sep 11 06:35:18 EDT 2003


I'm using Snort on my OpenBSD firewall machine, although I know that it 
was better to use seperate machines for that task. But at the moment I 
cannot afford any new PCs and I think for a small home network like mine 
it would be overkill anyhow.

My setup looks like the following:

Internet <-> DSL-Router <-> rl0 FW rl1 <-> Private Network

DSL-Router (IP):
FW (IP on rl0):
FW (IP on rl1):

So I have two networks, one before my firewall ( and one 
behind (

I wish to run an instance of Snort on each interface (rl0 and rl1) to 
know better what attacks are tried on the external interface, which of 
those attacks are getting blocked by the firewall and if any attacks 
were able to enter my internal network. But at the same time, I'd like 
to do the same for the other direction - internal network to internet - 
in case malicious software got installed and tries to contact it's home 
servers or to spread further across the internet.

Now I'm somewhat confused about the variables $EXTERNAL_NET and $HOME_NET.

If I want to control traffic in *both* directions, do I have to set 
those variables both to "any"?

I read something like this in the FAQ, but would like to be sure that 
this is the right way to do it for the setup I've shown above.

Many greetings,


More information about the Snort-users mailing list