Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not blocking incoming packets which have port forward/NAT rules applied

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andrew453
      last edited by

      Hi

      I have Snort running on my WAN, with blocking enabled.  I also have various port forwards set up in the NAT.

      The blocking is working fine, except when an incoming packet arrives from a blocked Snort host destined for a forwarded port.  Snort doesn't block it and the packet is passed through from the blocked host.

      Is this intended behaviour or is something else wrong?  Is there any way to get this desired behaviour please - i.e. blocking snort hosts whether in relation to a forwarded port or not?

      Andrew

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Yeah, run it on LAN (as well.)

        1 Reply Last reply Reply Quote 0
        • A
          Andrew453
          last edited by

          Thanks.  I wondered if that might be it.

          Would the two snort instances on the different interfaces share the same block list?  If not, if the WAN snort instance blocks bad hosts/packets, how will the LAN instance ever get to see them to add them to its own block list?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            There's just one blocklist for both (the snort2c table). Other than that, see the IDS/IPS subforum for hints on the rules. (Running both with the same ruleset is pretty much an overkill. Just put some basic stuff on WAN.)

            1 Reply Last reply Reply Quote 0
            • A
              Andrew453
              last edited by

              OK, thanks for your help.  I'll give it a try.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.