Pass List documentation
-
Hello!
I am coming up to speed on pfsense and snort.
Running 2.4.5.r.20200226.2100 on an SG-1100. Snort 3.2.9.10_1I have snort on the wan interface to monitor and protect forwarded ports.
I want to make sure some wan addresses are not blocked.When I look at at the instructions on this page:
https://docs.netgate.com/pfsense/en/latest/ids-ips/snort-passlist.html
I appears that the steps and images are showing how to modify the EXTERNAL_NET.
I think I understand when you might want to modify HOME_NET and EXTERNAL_NET using a Pass List, but for my goal, dont I want to put my custom pass list into the "Pass List" dropdown and not the "External Net" dropdown?
John
-
@serbus said in Pass List documentation:
Hello!
I am coming up to speed on pfsense and snort.
Running 2.4.5.r.20200226.2100 on an SG-1100. Snort 3.2.9.10_1I have snort on the wan interface to monitor and protect forwarded ports.
I want to make sure some wan addresses are not blocked.When I look at at the instructions on this page:
https://docs.netgate.com/pfsense/en/latest/ids-ips/snort-passlist.html
I appears that the steps and images are showing how to modify the EXTERNAL_NET.
I think I understand when you might want to modify HOME_NET and EXTERNAL_NET using a Pass List, but for my goal, dont I want to put my custom pass list into the "Pass List" dropdown and not the "External Net" dropdown?
John
You are correct and that documentation page is incorrect. I will send the pfSense team a note about it. Note that your public WAN IP is in the default pass list, but if you have multiple assigned WAN IPs, then you would need to create an alias to hold them and then put that alias in the Address box on a custom pass list and then assign that custom list in the Pass List drop-down on the INTERFACE SETTINGS tab.
HOME_NET and EXTERNAL_NET are special variables and generally should NEVER be changed! Incorrect values in either of these two variables can result in your rules being ineffective.
-
Hello!
OK. I do have a dual wan install with static ip blocks coming up, so I will keep that in mind.
In this case, I have an external server running icinga and monitoring the servers behind my forwarded ports. I have seen that server show up in the snort logs. My read is that the pass list is the place to address these snort blocks. Please let me know if there is a better place to handle it.
Thanks!
John
-
@serbus said in Pass List documentation:
Hello!
OK. I do have a dual wan install with static ip blocks coming up, so I will keep that in mind.
In this case, I have an external server running icinga and monitoring the servers behind my forwarded ports. I have seen that server show up in the snort logs. My read is that the pass list is the place to address these snort blocks. Please let me know if there is a better place to handle it.
Thanks!
John
Yes, a custom Pass List assigned to the interface is the correct way to handle errant blocks of hosts you don't want blocked. Remember that after assigning and saving a custom pass list to an interface, you must restart Snort on the interface for the new list to be recognized.
Pass List content is only read at startup of the Snort binary.
-
Hello!
Got it!
Not to belabor this topic...
One of the problems I had setting this up was that the process did not fit my normal MO of getting everything configured and then dropping the hammer : create the alias, add the alias to a pass list, assign the pass list to an interface, and finally turn on the blocking for the interface.
Maybe a note in the docs which indicates that the pass list dropdown wont appear until after "Block offenders" is checked would help. When I didnt initially see the pass list dropdown and looked at the docs, I assumed that the External Net must be the place for the pass list. I know better now. :)
Thanks again!
John
-
The Pass List has no function unless Legacy Mode blocking is enabled. That's why the GUI code hides the drop-down when that mode of blocking is disabled. It's an attempt to keep the screen a bit less cluttered by removing options that have no role in the currently selected operational mode.