Andres Taylor wrote: > On ons, 2003-05-14 at 11:01, Boyan Krosnov wrote: [...] > > You can't stop the packets from coming to your machine. If your IDS > > (snort) is listening on the outside interface, then you'll see the > > packets regardless if you drop them or not. > > Now, this is where my understanding differs from yours. As far as I > understand, iptables works in kernelland, and will drop the packets > without them ever reaching userland. Snort, on the other hand, lives and > works in userland, and should NOT see packets dropped by the kernel. > I've made some very simple tests, but they support my belief. Are you > 100% certain that snort should be able to see the packets even if I drop > them?
Snort and tcpdump use libpcap, which uses raw sockets at the device level, so it receives packets before netfilter/iptables, which works at the IP level, even sees them. See packet(7). I find this diagram useful for seeing the sequence of networking operations (notice <tcpdump process> at the left): http://open-source.arkoon.net/kernel/kernel_net.png HTH, Jason
