[Snort-users] trouble with inline mode

Richard Smollett yawningdogge at ...11827...
Wed Aug 27 09:52:16 EDT 2014


IP setup looks like this.

root at ...2306...:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:b5:c4
          inet addr:*172.28.61.104*  Bcast:172.28.61.127  Mask:
*255.255.255.128*
          inet6 addr: fe80::a00:27ff:fefd:b5c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:472894 errors:5 dropped:15 overruns:0 frame:0
          TX packets:15266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:129789824 (123.7 MiB)  TX bytes:2332609 (2.2 MiB)
          Interrupt:10 Base address:0xd020

eth1      Link encap:Ethernet  HWaddr 08:00:27:97:66:ff
          inet addr:*192.168.123.1*  Bcast:192.168.123.255  Mask:
*255.255.255.0*
          inet6 addr: fe80::a00:27ff:fe97:66ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:438796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:962 (962.0 B)  TX bytes:123829936 (118.0 MiB)
          Interrupt:9 Base address:0xd240

The eth0 interface is the outside and eth1 is inside. I'm starting snort
with this command.

snort --daq afpacket -i eth0:eth1 --daq-mode inline -c /etc/snort/snort.conf

But I still cannot ping an inside host from the outside. I can ping between
the snort device and inside/ouside hosts. If I ping an inside host from the
outside, tcpdump shows the icmp echo request arriving but no reply. Inside
host ip is 192.168.123.2.

Can anyone recommend some other troubleshooting steps or suggest where I
may have left anything out of the setup?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/285b018e/attachment.html>


More information about the Snort-users mailing list