Snort not blocking incoming packets which have port forward/NAT rules applied



  • Hi

    I have Snort running on my WAN, with blocking enabled.  I also have various port forwards set up in the NAT.

    The blocking is working fine, except when an incoming packet arrives from a blocked Snort host destined for a forwarded port.  Snort doesn't block it and the packet is passed through from the blocked host.

    Is this intended behaviour or is something else wrong?  Is there any way to get this desired behaviour please - i.e. blocking snort hosts whether in relation to a forwarded port or not?

    Andrew


  • Banned

    Yeah, run it on LAN (as well.)



  • Thanks.  I wondered if that might be it.

    Would the two snort instances on the different interfaces share the same block list?  If not, if the WAN snort instance blocks bad hosts/packets, how will the LAN instance ever get to see them to add them to its own block list?


  • Banned

    There's just one blocklist for both (the snort2c table). Other than that, see the IDS/IPS subforum for hints on the rules. (Running both with the same ruleset is pretty much an overkill. Just put some basic stuff on WAN.)



  • OK, thanks for your help.  I'll give it a try.