Re: [Shorewall-users] Shorewall with Suricata in IPS mode

Sun, 17 May 2015 14:46:34 -0700 

On 5/17/2015 9:55 AM, AleCaste wrote:
> Hello all,
> 
> We are using shorewall version 4.5.21.6 and we cannot make the firewall work 
> with Suricata IPS (using nfqueue on queue number 0).
> If we set the policy (in policy file):
> 
> net            $FW    ACCEPT
> 
> ... then we can see that suricata receives traffic (http requests we are 
> sending) and those requests are logged alright.
> But if we change the policy to:
> 
> net            $FW    NFQUEUE(0)
> 
> ... then suricata receives no traffic.
> We also tried to change the policy to:
> 
> net            $FW    DROP
> 
> ... and then add the rule (in rules file):
> 
> NFQUEUE(0)      net    $FW           tcp        http,https
> 
> ... but this configuration does not work either.
> What are we doing wrong?
> If there is a "net $FW NFQUEUE(0)" policy or a rule "NFQUEUE(0) net $FW tcp 
> http,https"... why is it that http traffic is not being passed to suricata 
> on queue 0 as we would expect?

Two things:

a) Shorewall policies only affect traffic that doesn't match any
preceding rule.

b) By default, entries in the rules file only affect traffic in the NEW
state. So only the initial SYN packet would match the rule. Therefore,
if you want to use rules, you must place them in the ALL section of the
rules file.

-Tom


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to