# Recommended/help/concepts for firewall w/Snort 2.9(inline)?

## Btoo

Searching forum posts and even using Google I have noticed a lack of recent discussion about this topic in general and little  related to a Gentoo install. 

Since the advent of customizable routers with OpenWrt, DD-Wrt and such, this seems to something less people do. I have some general questions to ask before I go read the DAQ.README and try to figure out how all the pieces fit together. I had the intention of building a transparent bridging firewall with Snort but with the new 2.9+ builds am unsure of how to proceed.

I would like to learn more about it, not just rely on my router. The probable topology for this setup would be:

Internet>Screening Router>Snort Firewall>Wireless Router>LAN

The Screening Router assumed to be necessary for a sane Snort install. The only trouble with this is I may see very few network exploits vs an internet facing Snort firewall would see an overwhelming amount.

So with that are these assumptions correct or recommended?

     -Throw out the transparent bridge for Snort inline?  Use bridging at all?

     -Use BASE for ease of use/access and Barnyard2 to offload MySql activity of Snort

     -Snort 2.9+ uses DAQ, something of which I am completely unfamiliar, in place of Iptables. Would Iptables still be used as 

         the overall firewall or does Snort/DAQ become the firewall? Am I mixing uses unwisely?

      -Recommended USE flags for Snort 2.9 used inline? I have the following in package.use:

```

net-analyzer/snort   -ipv6 active-response normalizer mysql dynamicplugin flexresp3 decoder-preprocessor-rules threads
```

 It would be great to get some expert pointers to get started in the right direction. Any help would be appreciated!

----------

## Btoo

I see there is some interest in this topic but no replies yet. Please add a post if you have any interest or wisdom to share.

A little reading done now leads my personal project to build a bridging firewall for in LAN use. Later it could be changed to a full blown internet facing firewall with Snort listening on the LAN side.  Iptables (or ebtables?) rules can be added as necessary. For LAN that isn't critical, which is nice while setting up Snort.

LAN COMPUTERS------------SNORT FIREWALL-----------ROUTER-----------INTERNET

192.168.1.0/24========eth0<<<>>>eth1======LAN<>WAN

Some other links I am working with:

EDIT http://www.snort.org

http://www.sjdjweis.com/linux/bridging/ <EDIT> No bridging used, see below 

http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces

https://forums.gentoo.org/viewtopic-t-399801-postdays-0-postorder-asc-highlight-snort-start-25.html

http://en.gentoo-wiki.com/wiki/Snort

Snort is a lot easier to install than the Gentoo forum post seems at first read, the latest ebuild takes care of the installation issues. See the latest posts at the end. I was able to install Snort 2.9.0.2 with DAQ 0.4. This latest DAQ is recommended. I am choosing to run amd64 stable with Snort and involved packages unstable so I can use the latest Snort with DAQ since anyone upgrading will have to change to DAQ anyway. 

 My /etc/portage/package.use:

```
net-analyzer/snort   -ipv6 active-response normalizer mysql dynamicplugin flexresp3 decoder-preprocessor-rules threads  

net-libs/libpcap -ipv6

media-libs/gd jpeg png

```

 The /etc/portage/package.keywords file:

```
net-analyzer/snort   ~amd64

net-libs/daq ~amd64

net-libs/libpcap ~amd64

net-analyzer/base ~amd64
```

 It seems Snort 2.9+ does not need a bridge setup  The DAQ module afpacket will do the bridging in place of a standard bridge. DAQ is an added layer to handle packets, which replaces iptables for Snort, not that you can't use iptables also, if I understand correctly. 

After some help from Snort-devel mailing list this is how you set up Snort for inline use:

In /etc/snort/snort.conf:

```

 config daq: afpacket

 config daq_dir: /usr/lib64/daq

 config daq_mode: inline

```

At the command line:

```
/usr/bin/snort —daq afpacket —daq-dir /usr/lib64/daq —dag-mode inline
```

I could not set the device IFACE on the command line in Gentoo. If someone has please tell. 

IFACE in /etc/conf.d/snort set to:

```
 IFACE="eth0:eth1"
```

This is where afpacket does its magic, inline mode requires one or more sets of interfaces as in eth0:eth1::eth3:eth4. That you want to bridge is assumed with these parameters.

Snort starts successfully with no complaining in /var/log/messages.

I should mention the interfaces are set up in /etc/conf.d/net as 

```
config_eth0=( "null" )

config_eth1=( "null" )
```

and also that I did set up a bridge but will delete it once I figure out how to manage the box without addressable NICs! A bridge probably interferes and definitely defeats the purpose of using Snort inline. A third network interface is necessary to manage the box. You could use a VLAN but that will not work well with my stated layout and in could allow a "vlan hopping" exploit.

Hopefully this post will pick up some interest! I've become a robo-poster!   :Laughing: 

----------

