IPFW & ICMP

[K Anderson]

Lowell Gilbert wrote:
> K Anderson <freebsduser at comcast.net> writes:
> 
> 
>>                                                             I figure
>>that the firewall should block the traffic first so as to prevent
>>ruled traffic from coming in and then, in my thinking, snort shouldn't
>>see it.
>>
>>Hopefully somebody might have an explanation with the why's and how
>>comes one way or the other.
> 
> 
> Your way would rule out sniffing of third-party traffic.

So then it is normal behaviour for snort to see the packets then get to 
the firewall and then be processed? I'm up to 10K+ Cyberkit 2.2 packets 
in a 24 hour period.