On 14/09/2012 15:02, Jim Pingle wrote: > On 9/14/2012 9:35 AM, [email protected] wrote: >> Hello, >> I would like to verify the order in which incoming packets are processed >> by pfSense. Currently I have two pfSense**2.0.1-RELEASE boxes in a >> fail over setup. Both boxes have Snort installed. >> My "assumptions" are: >> 1) Packets are evaluated by firewall rules first >> 2) Packets are then seen by Snort (based on the fact that I am only >> currently running Snort on the WAN interface) >> 3) NAT Tables are evaluated >> 4) Packets are sent to DMZ web servers. >> >> My question is, are these assumptions correct? If not could someone >> please post the corrected order? >> >> Sound reasonable or am I missing the mark completely? > You have it almost completely backwards. At least 1-3 are :-) > > It really goes: > 1. Packets come in on the wire - things listening on the NIC in promisc > or similar, like tcpdump or snort, see things here > 2. NAT is processed > 3. Firewall rules are processed - so if NAT applied (port forward, etc), > you filter on the NAT translated address as the destination. > 4. Packets are routed by pf or the OS depending on whether or not the > rule had a policy routing gateway set. > > Then steps 3,2,1 on the way out the other interface, if applicable > (outbound floating rules, outbound NAT, and then tcpdump would see what > is "on the wire". This may also be useful although it only handles it once it hits pf, ie about step 2 here. http://www.benzedrine.cx/pf_flow.png
Vince > > Jim > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
