Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Home Net

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TecTI
      last edited by

      How can I create a Home Net list on Snort without some IPs, so that I can block those internal IPs?

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        First, create an alias under Firewall > Aliases containing all the networks and/or IP addresses you want in HOME_NET.  Next, go to the PASS LIST screen (I know, it is a little counter-intuitive …  ;) ) and create a new PASS LIST.  Name it "custom_home_net" or something that makes sense for your case.  Uncheck all the options (unless you want to keep a few) and then add the alias you created earlier in the provided Address text box at the bottom.  Save the new list.

        Now go to the Snort INTERFACE SETTINGS tab for the interface where you want to use this custom HOME_NET.  In the HOME_NET drop-down selector, choose the list you created in the steps above.  Save the change and then restart Snort on that interface.  That should do it.

        Bill

        1 Reply Last reply Reply Quote 0
        • T Offline
          TecTI
          last edited by

          Hi Bill, thanks for the answer, but I had already done that and it keeps adding my internal IPs to the Home Net list even though they are not in the alias.

          1 Reply Last reply Reply Quote 0
          • T Offline
            TecTI
            last edited by

            Problem solved. By selecting the custom_home_net in the pass list drop-down selector on snort interface I could block internal alerts source IPs. Thanks for your help.

            1 Reply Last reply Reply Quote 0
            • bmeeksB Offline
              bmeeks
              last edited by

              @TecTI:

              Problem solved. By selecting the custom_home_net in the pass list drop-down selector on snort interface I could block internal alerts source IPs. Thanks for your help.

              Yes, this part is key (selecting the desired custom list on the INTERFACE SETTINGS tab).  Simply creating a list on the PASS LIST screen is not enough.  You must then tell Snort (or Suricata, if using that package) to use the new list.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.