Hi, I use Shorewall on my router/gateway based on Debian 10 (buster). The machine has multiple interfaces and zones with different policies and rules what they are allowed to do. Now I would like to add Suricata to the mix for IDS purposes (and eventually IPS at a later point). However, I don't fully understand, how I would set this up exactly (without opening up my firewall entirely).
Ideally, what I would like to achieve is that Suricata only scans traffic that is allowed through my external (WAN) interface. That means I don't wanna bother it with packets that would be dropped anyway (either through specific rules, default policy or blacklisted ipsets). Let's start with the less critical IDS only configuration via NFLOG: I'm assuming if I were to put just two rules like this into the ALL section of my shorewall rules file, Suricata would see all traffic passing through my external interface, even the packets that would be droppped anyway: NFLOG(1) net all NFLOG(1) all net So my first question is: If I wanted to pass only the accepted traffic to Suricata, do I have to duplicate every rule that accepts packets with an identical NFLOG rule in the ALL section of the rules file? If so, is there anything I need to consider regarding MASQUERADE rules in the snat file? And in the policy file, can I add NFLOG(1) as the log level to any zone that has a default ACCEPT policy or is the specification of the NFLOG group ip not allowed in the policies file? My second question is about NFQUEUE (with Suricata in IPS mode). If I understand the concept correctly, the response of the userspace program with NFQUEUE determines if a packet is accepted or dropped. So, just two NFQUEUE rules as shown above, would be hazardous as that would allow all traffic passing through the external interface unless dropped by Suricata. So, I guess I could replace all my ACCEPT rules with NFQUEUE rules and that would only change the firewall behaviour if Suricata decides to block certain packets/sources. Otherwise the firewall would behave just like before. Is that correct so far? Then adding the bypass option would be safe, too. Correct? Do I need to take anything special into account with regards to NAT helper rules and WHITELIST rules in the blacklist file? Thanks and regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
