edo> (...) it seems if I create a rule to let a specific packet through edo> the firewall then snort see's it if I block it. Then it never gets edo> logged by snort. So I am totally confused and pulling out my hair. edo> I have posted my snort configs to the snort list and no one see's edo> anything wrong with it.
Are you sure that you snort on the right (=correct) side of your firewall. i.e. does the traffic you block arrive at the interface you are snorting on? On a plain two legged router you can snort on if0 all traffic that comes from the network connected to if0 and on if1 you can snort all traffic that comes from the network that is connected to if1! If you have your LAN on if0 and "the internet" on if1 you can see all traffic originating *from* the internet on if1 (regardless your pf rules) and all traffic *from* the LAN on if0. Obviously a packet from your LAN blocked by pf won't show up on if1!!! (and the other way round) -- Best regards, Max mailto:[EMAIL PROTECTED]
