|
Title: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set? Post by: boblowski on Sunday 08 August 2010, 06:21:36 am Hello all,
A Monowall/pfSense user here who just recently discovered EFW, so perhaps I misunderstand a thing or two and somebody can help me. I have a fairly basic test setup with a 'red', 'green' and 'orange' net. Added 2 NAT rules to forward requests to internal HTTP/HTTPS servers and for the rest some basic rules for outgoing and interzone traffic. (This in VMware ESXi 4.1 with E1000 NIC's.) Everything seems to work well. Now I wanted to add Snort/IPS _only_ for incoming NAT traffic, so I switched on the Intrusion Prevention service, downloaded IPS rules and changed the NAT rules from 'allow' to 'allow with IPS'. All other rules are still just 'allow' with IPS. All relevant IPS rules were changed from 'alert' to 'block'. (BTW, another question: It's not possible to block IP's instead of just the request?) That works for incoming NAT traffic and rules get triggered. The problem however is that the IPS seems to monitor _all_ traffic, even outgoing traffic and interzone traffic. Snort blocks for example incoming responses to outgoing DNS queries and things like interzone non-SSL HTTP authentication requests. I'm by no means a network specialist, so perhaps I just misunderstand something. Any help is appreciated! Thanks, Bob Title: Re: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set? Post by: boblowski on Wednesday 11 August 2010, 07:00:33 pm Hello again,
I really hope somebody can point me in the right direction. After searching the forums I found that other people have the same problem, like: <FORUM URL>/index.php?topic=1733.0 But no answers. Is this a know bug or limitation? Where can I find more information? Since this severely limits the usability of EFW, I take it for most people it 'just works' and the problem must be at my side. Any hints perhaps? Thanks, Bob Title: Re: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set? Post by: boblowski on Tuesday 24 August 2010, 07:09:20 pm A small bump...
After trying for some time to get this to work, I'm about to give up on Endian Firewall. Snort is absolutely required for us, but EFW only seems to work correctly if IPS is switched off. Is there anybody out here using EFW that is actually using the IPS/snort functionality? Before I spend any more time on this, it would really help me a lot to know if this is supposed to work or if this is a known limitation of EFW. Thanks, Bob |