Snort and pfBlockerng on virtual interfaces?

  • I'm posting this in general as the question encompasses a few different areas.

    Currently running 2.3.1 with 1 physical WAN interface, 1 physical LAN interface, and 1 virtual "PIA" interface which routes the majority of my traffic through an OpenVPN Private Internet Access tunnel. I'm using firewall aliases and firewall rules to control which LAN clients get directed through the standard WAN gateway and which clients get directed through the PIA gateway.

    My question is regarding my Snort and pfBlockerng packages. I had both set up prior to creating this PIA tunnel, so they are doing their respective things on my LAN and WAN interfaces. Both appear to be working as they should and are seeing both my normal and PIA traffic, even though I have not configured either to operate on my virtual PIA interface.

    Is this expected? I see in the configs for Snort and pfBlockerng that I have the option of selecting "PIA" as an interface, but is there a reason that I would want to since everything is operating correctly using LAN and WAN?

  • Snort uses DAQ and libpcap as its data acquistion layer on the physical interfacd.  It puts the physical interface into promiscuous mode so that it see all traffic hitting the interface.  That's why Snort is seeing your PIA traffic without being explicitly configured for it.

    In terms of the available interfaces in the drop-down box on the Snort Interface configuration tab, it simply queries pfSense for all the configured interfaces and displays them.  Probably not the best implementation, but for now Snort just thinks any interface returned by the system is an actual physical one.  So it doesn't really understand that your PIA tunnel really runs on the WAN but should be treated as distinct.


Log in to reply