How is This Different Than Today and Why is It Better? This basically refers to a mode of operation whereby the rule inspection engine (Suricata in our case) sits between the network interface card and the kernel's network stack. All traffic coming from the network card to the kernel, and all traffic going to the network card from the kernel, passes through the rule inspection engine. There is no bypass and no packet copying. If a Suricata rule configured with the DROP keyword fires on a packet, that packet is not passed on and is in effect "dropped". Now here is another key piece of information. When running in inline IPS mode, Suricata sits between the network interface card and the pf packet filter (the firewall). That means Suricata will see, inspect, and either pass or drop inbound traffic from the interface to the firewall BEFORE any firewall rules are applied. However, in the opposite direction (from the firewall packet filter outbound to the NIC) Suricata will see the traffic BEFORE the NIC does and AFTER the firewall rules have been applied. Suricata can still pass or drop the outbound traffic, though.
#3 - Not all network cards support Netmap. Many of the popular ones do, but not all. Someone posted a list of the FreeBSD drivers that currently support Netmap over in the pfSense 2.3-BETA forum. I suspect support will get more common, but for now just realize not all cards will work. I have been using the em driver in my virtual machines and it works fine. If your card does not support the new inline mode, just use it in the Legacy Mode (described below) until such time as your card is either supported or you decide to switch to one that is. #2 - No, this is not currently available for Snort. It might be in the future, but that is currently uncertain. Snort's DAQ module is not as Netmap friendly as Suricata is. If this is ever available for Snort, it would also only be on the pfSense 2.3 and higher platform.
#1 - No, this is not and will not be available for Suricata 2.0.x on pfSense 2.2.x. The inline IPS mode will only be available on pfSense 2.3 and above with the Suricata 3.0 and above binary. Sorry, but the needed Netmap support just isn't there in the older versions. So plan on upgrading if you want true inline IPS mode with Suricata.
Rejoice! True high-speed inline mode IPS is coming with pfSense 2.3 and its new Netmap support. I have a working Suricata package and in the next few posts will show some screen shots of the new IPS mode in action and how to set it up. This article is old, but checkout the pfSense 2.3, use tools such as "pfBlockerNG" for GEOip blocking.