[Snort-users] $HOME_NET and $EXTERNAL_NET configuration problem
x25ugip1 at ...10061...
Thu Sep 11 06:35:18 EDT 2003
I'm using Snort on my OpenBSD firewall machine, although I know that it
was better to use seperate machines for that task. But at the moment I
cannot afford any new PCs and I think for a small home network like mine
it would be overkill anyhow.
My setup looks like the following:
Internet <-> DSL-Router <-> rl0 FW rl1 <-> Private Network
DSL-Router (IP): 192.168.1.1
FW (IP on rl0): 192.168.1.2
FW (IP on rl1): 192.168.54.1
So I have two networks, one before my firewall (192.168.1.0/24) and one
I wish to run an instance of Snort on each interface (rl0 and rl1) to
know better what attacks are tried on the external interface, which of
those attacks are getting blocked by the firewall and if any attacks
were able to enter my internal network. But at the same time, I'd like
to do the same for the other direction - internal network to internet -
in case malicious software got installed and tries to contact it's home
servers or to spread further across the internet.
Now I'm somewhat confused about the variables $EXTERNAL_NET and $HOME_NET.
If I want to control traffic in *both* directions, do I have to set
those variables both to "any"?
I read something like this in the FAQ, but would like to be sure that
this is the right way to do it for the setup I've shown above.
More information about the Snort-users