Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 02 November 2024, 07:30:42 am

Login with username, password and session length

Get the new Updates directly from Endian  HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  2.4 Intrusion Prevention service started, 'Allow with IPS' always set?
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set?  (Read 15221 times)
boblowski
Jr. Member
*
Offline Offline

Posts: 3


« on: Sunday 08 August 2010, 06:21:36 am »

Hello all,

A Monowall/pfSense user here who just recently discovered EFW, so perhaps I misunderstand a thing or two and somebody can help me.

I have a fairly basic test setup with a 'red', 'green' and 'orange' net. Added 2 NAT rules to forward requests to internal HTTP/HTTPS servers and for the rest some basic rules for outgoing and interzone traffic. (This in VMware ESXi 4.1 with E1000 NIC's.) Everything seems to work well.

Now I wanted to add Snort/IPS _only_ for incoming NAT traffic, so I switched on the Intrusion Prevention service, downloaded IPS rules and changed the NAT rules from 'allow' to 'allow with IPS'. All other rules are still just 'allow' with IPS. All relevant IPS rules were changed from 'alert' to 'block'. (BTW, another question: It's not possible to block IP's instead of just the request?)

That works for incoming NAT traffic and rules get triggered. The problem however is that the IPS seems to monitor _all_ traffic, even outgoing traffic and interzone traffic. Snort blocks for example incoming responses to outgoing DNS queries and things like interzone non-SSL HTTP authentication requests.

I'm by no means a network specialist, so perhaps I just misunderstand something. Any help is appreciated!

Thanks, Bob
Logged
boblowski
Jr. Member
*
Offline Offline

Posts: 3


« Reply #1 on: Wednesday 11 August 2010, 07:00:33 pm »

Hello again,

I really hope somebody can point me in the right direction. After searching the forums I found that other people have the same problem, like:

<FORUM URL>/index.php?topic=1733.0

But no answers. Is this a know bug or limitation? Where can I find more information?

Since this severely limits the usability of EFW, I take it for most people it 'just works' and the problem must be at my side. Any hints perhaps?

Thanks, Bob
Logged
boblowski
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Tuesday 24 August 2010, 07:09:20 pm »

A small bump...

After trying for some time to get this to work, I'm about to give up on Endian Firewall. Snort is absolutely required for us, but EFW only seems to work correctly if IPS is switched off.

Is there anybody out here using EFW that is actually using the IPS/snort functionality? Before I spend any more time on this, it would really help me a lot to know if this is supposed to work or if this is a known limitation of EFW.

Thanks, Bob
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.047 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com