4. Snort not blocking incoming packets which have port forward/NAT rules applied

Snort not blocking incoming packets which have port forward/NAT rules applied

  • A

    Hi

    I have Snort running on my WAN, with blocking enabled.  I also have various port forwards set up in the NAT.

    The blocking is working fine, except when an incoming packet arrives from a blocked Snort host destined for a forwarded port.  Snort doesn't block it and the packet is passed through from the blocked host.

    Is this intended behaviour or is something else wrong?  Is there any way to get this desired behaviour please - i.e. blocking snort hosts whether in relation to a forwarded port or not?

    Andrew

    0
  • D
    Banned

    Yeah, run it on LAN (as well.)

    0
  • A

    Thanks.  I wondered if that might be it.

    Would the two snort instances on the different interfaces share the same block list?  If not, if the WAN snort instance blocks bad hosts/packets, how will the LAN instance ever get to see them to add them to its own block list?

    0
  • D
    Banned

    There's just one blocklist for both (the snort2c table). Other than that, see the IDS/IPS subforum for hints on the rules. (Running both with the same ruleset is pretty much an overkill. Just put some basic stuff on WAN.)

    0
  • A

    OK, thanks for your help.  I'll give it a try.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy