OPNsense Forum

English Forums => General Discussion => Topic started by: thomas-hn on October 07, 2020, 05:59:33 pm

Title: Where does the IDS sniff the packets?
Post by: thomas-hn on October 07, 2020, 05:59:33 pm

Hello,

how does the IDS (Services => Intrusion Detection) receive the incoming packets?

Is it getting the packets before the Firewall? I'm asking, because my IDS is currently listening to LAN & WAN and on the WAN side I see a lot of traffic to ports which are closed in the Firewall.

Can someone confirm please, that the IDS sniffs before the Firewall?

Thanks,

Thomas

Title: Re: Where does the IDS sniff the packets?
Post by: mimugmail on October 08, 2020, 06:12:35 am

Yes it does, firewall is in kernel, IDS bit more near nic, so you cant drop first via pf

Title: Re: Where does the IDS sniff the packets?
Post by: siga75 on October 09, 2020, 02:51:17 pm

Quote from: mimugmail on October 08, 2020, 06:12:35 am

Yes it does, firewall is in kernel, IDS bit more near nic, so you cant drop first via pf

Not sure this is the reason, NIC drivers are part of the kernel, even if a dynamically loaded module, and also run in system mode in order to access the hardware

Title: Re: Where does the IDS sniff the packets?
Post by: mimugmail on October 09, 2020, 05:43:21 pm

Yes, but pf comes after IPS (incoming direction), thats a fact :)