On 9/14/2012 10:11 AM, Vincent Hoffman wrote:
On 14/09/2012 15:02, Jim Pingle wrote:
On 9/14/2012 9:35 AM, [email protected] wrote:
Hello,
I would like to verify the order in which incoming packets are processed
by pfSense. Currently I have two pfSense**2.0.1-RELEASE boxes in a
fail over setup. Both boxes have Snort installed.
My "assumptions" are:
1) Packets are evaluated by firewall rules first
2) Packets are then seen by Snort (based on the fact that I am only
currently running Snort on the WAN interface)
3) NAT Tables are evaluated
4) Packets are sent to DMZ web servers.
My question is, are these assumptions correct? If not could someone
please post the corrected order?
Sound reasonable or am I missing the mark completely?
You have it almost completely backwards. At least 1-3 are :-)
It really goes:
1. Packets come in on the wire - things listening on the NIC in promisc
or similar, like tcpdump or snort, see things here
2. NAT is processed
3. Firewall rules are processed - so if NAT applied (port forward, etc),
you filter on the NAT translated address as the destination.
4. Packets are routed by pf or the OS depending on whether or not the
rule had a policy routing gateway set.
Then steps 3,2,1 on the way out the other interface, if applicable
(outbound floating rules, outbound NAT, and then tcpdump would see what
is "on the wire".
This may also be useful although it only handles it once it hits pf, ie
about step 2 here.
http://www.benzedrine.cx/pf_flow.png
Vince
Jim
Thank you both for this information and for sending it so quickly.
Thanks again,
JohnM
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
