Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Order of Processing? - PFBlockerNH/Snort

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JBelthoff
      last edited by

      Hi,

      If I have both PFBlockerNG and Snort running which gets processed first?

      Or…..

      Will Snort record an alert for an IP that is blocked by PFBlockerNG?

      Granted I may be a little confused as I am a bit new to all of this....

      Thanks,

      JB

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Snort's blocks are inserted in one of the first few tables in the firewall chain, so generally Snort blocks happen early in a packet's traversal of the rules.

        Snort uses libpcap to get copies of packets flowing through the interface for inspection.  That means it will always see a packet even if that packet is later dropped by the firewall.  Snort sees traffic raw straight off the interface before the firewall rules have acted upon it.

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          JBelthoff
          last edited by

          Excellent! That's was I was hoping.

          Thanks,

          JB

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.