Technical Director trodat at ultratrends.com
Mon Aug 25 18:56:40 PDT 2003


Someone correct me if I am wrong, but, snort as with other traffic shapers
and dumpers take actual traffic from the network card prior to the
firewall/kernel getting it. The rule is in place and as long as you see
numbers in the first two columns in the following command:


##### 0 2300 deny icmp from any to me via ed0

then your rule should be fine. If it's zero then the rules above it are
stopping any activity that this rule might have on incoming packets.


On Mon, 25 Aug 2003, K Anderson wrote:

> Howdy folks,
> I've been getting bombarded with ICMP (Cyberkit 2.2 attack) stuff and 
> created a rule in ipfw to firewall it. The rule is working, I am getting 
> measured stats but the problem is snort is seeing them and reporting 
> them. I thought that by firewalling ICMP snort would stop noticing them. 
> If I'm wrong in my asumption I would certainly like to hear it.
> Here is the fierwall rule I applied.
> deny log icmp from any to me via ed0
> There are some TCP and IP rules above that but I don't see that causing 
> anything to skip over the  ICMP rule. And snort is seeing them as I did 
> a quick search through ACID.
> Thanks in advance.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list