On 16/07/2021 01:00, James Moe via Fail2ban-users wrote:
On 7/13/21 11:59 AM, Nick Howitt wrote:
Suricata is a Snort alternative. If it is anything like Snort, it can be
configured to be inside or outside the firewall. In ClearOS, it is
outside the firewall but I assume for other distros it is user configurable.
I am not clear what you mean by "inside" or "outside" the firewall.
Info from iptables:
-A INPUT -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT -j NFQUEUE --queue-num 0 --queue-bypass
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 122K 59M f2b-cgp-s tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
2 1008K 79M f2b-cgp-i tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 143,993
3 173K 61M f2b-sri2t tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,53
4 949K 67M f2b-sri-1 udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
5 122K 59M f2b-assp1 tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
6 64M 46G NFQUEUE all -- * * 0.0.0.0/0
0.0.0.0/0 NFQUEUE num 0 bypass
7 1262K 518M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
fail2ban is started before suricata to assure they process packets before
suricata.
.... and to the list:
It has nothing to do with those commands or the order that you start the
services. When traffic comes into your system it is processed by it in a
particular order. If it goes to Suricata before it hits the firewall,
Surcata is outside the firewall and vice-versa. As an example, if you
use tcpdump on your external interface, you can always see packets
arriving irrespective if there being a firewall block. As such tcpdump
is outside the firewall. The same goes for my implementation of Snort
and, possibly, your implementation of Suricata.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
