How is the logical security stack configured in pfsense?
-
I'm curious what logical inspection order is followed for traffic as it traverses the different security packages in pfsense. For example say I have firewall rules that allow all traffic, if I have snort enabled will this traffic be analyzed before or after it hits the firewall rules? If I have pfBlocker enabled, will traffic be analyzed before or after snort and the built in firewall? Will traffic matching snort signatures be allowed if the firewall rules allow any ->any?
Thanks in advance!
-
pfBlockerNG does not analyze anything. It creates FW aliases and rules.
As for Snort/Suricata, it works on a copy of packets, not inline; see https://forum.pfsense.org/index.php?topic=80131.msg437332#msg437332 and numerous other posts about this.
-
Oh wow, good to know!
"When an alert is triggered, a block rule is inserted into the packet filter firewall table"
Where is this rule implemented in relation to other firewall rules? So say Snort triggers an alert and inserts a rule into the firewall table. Will this rule apply before or after rules configured in my firewall rules?
-
There's a dedicated forum section for IDS/IPS. I have no interest in using these constant-babysitting packages. All I can tell you that there's a snort2c table managed by the IDS/IPS pretty high in the rules stack blocking the traffic.
$ pfctl -vvsa | grep snort @46(1000000117) block drop log quick from <snort2c:0>to any label "Block snort2c hosts" @47(1000000118) block drop log quick from any to <snort2c:0>label "Block snort2c hosts"</snort2c:0></snort2c:0>