Hello
I am confused about something. I have recently upgraded from 4.5 to 4.9 (not 5.0 yet). However, I have openbsd/pf as a firewall to protect a home network. Now, even though I don't really understand it all, I had/have snort running on the FW to see what kind of badness passes by. With 4.5, I had snort listening to pflog0, because I understood that listening to the interface directly (e.g. "bge0") would not work since any packets dropped by pf would not be seen by snort. However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed that snort appears to see packets that are dropped by pf when it listens on the interface directly (bge0). I don't think I ever checked this with openbsd 4.5 (listening on the interface directly). So, I was wondering, is this expected? Should snort see packets dropped by pf when listening to the interface? I guess if the answer is "no," I will need to check my pf.conf, although when I scan myself the only port open to the internet is ssh, everything else is silently dropped (which is as it should be). Thanks for any clarification. Bye - ted
