@v0id said in Snort as IPS on WAN behind (VDSL-)Router:
@bmeeks Have no public internal services, just wanted be protected from attacks and port scan on public IP
Read what I posted again. Do you understand that pfSense will, by default, block all external sources from connecting to your firewall? So what good does Snort do in that circumstance? How can it help improve security. If pfSense is already going to block the port scan attempt, what's to be gained by having Snort block it again? If you scan the WAN side of a pfSense firewall from an external host, it will show nothing. No ports open at all. So out of the box a port scan is worthless to an adversary.
The only time a port scan matters (and even then, the risk of such an attack is somewhat overblown) is if you have a series of public-facing servers such as web servers, DNS servers, email servers, etc., and there are rules in place on the WAN to allow traffic to those servers. In that case you might want to add an IDS/IPS on the WAN to police traffic before it reaches those kinds of servers.
However, in a typical home setup using NAT, you have nothing "visible" to the Internet on the WAN side of your firewall. None of your hosts can be contacted nor connected to unless the internal host initiates the conversation. And in that case, the stateful inspection engine of the firewall will set up a temporary "allow" rule to let the reply traffic come in through the WAN and then on to the internal host that started the conversation.
And if you put Snort on the WAN and enable the portscan feature, expect to see quite a number of false positives caused by what is today just normal traffic. The portscan preprocessor is somewhat easily fooled by the way certain applications work today. It will false-positive on some traffic, block the external host, and then you will have grief with your internal clients as the application will likely quit working.
