This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Global Setting

Can some please explain or point me to a reference of how Astaro processes network traffic? It seems a bit strange to me that we are suppose to specify which Local networks we want to protect.

What would happen if I specified my external Internet facing addresses in the Global IPS settings Local network config?

Thx

This thread was automatically locked due to age.

0 HuberChristian over 10 years ago

Not sure, but maybe the Image attached can help you anyhow...
- untitled.jpg
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

"What would happen if I specified my external Internet facing addresses...?" [:D] I've made that mistake! This causes a lockup of your CPU as conntrack and packetfilter (firewall) block a lot of traffic before it ever gets to IPS. #2 in Rulz provides a useful summary of the chart although it doesn't answer your question here.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 busthead over 10 years ago

I specified both of my external Internet facing addresses and it did NOT lock up anything. In fact, I ran in the configuration for months and IPS appeared to function properly blocking anywhere from zero to a couple hundred attacks a month.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

Most organizations don't want to spend extra money for a more-powerful device with more-expensive subscriptions just to block traffic with the Snort engine before it's blocked by the firewall (packetfilter).

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 busthead over 10 years ago

According to the image that Gaston posted, that's not what would happen since packetfilter is always listed before IPS.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

What packetfilter rules apply to traffic arriving at an external interface?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 10 years ago in reply to BAlfson

What packetfilter rules apply to traffic arriving at an external interface?

The INPUT chain in IPTables... can be seen on the UTM with
iptables -n -L

When Snort is in Inline (IPS) mode, it typically does not listen to the interface(s) directly, but rather IPTables queries Snort with each packet (or stream?).

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

Hi, Barry. My point was that he's probably putting Snort out front to block traffic that would be blocked "more cheaply" by packet filter rules before iptables asked Snort about the traffic.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel