Greetings to everyone.
I recently switched to firewalld since it is default in SUSE. I have three interfaces, eth0 (WAN) in drop zone, eth1 (LAN) in internal zone and wlan0 in dmz. I’ve compiled & installed suricata-5.0.3 on system but couldn’t get nfqueue mode working, the engine doesn’t see any traffic.
I used to use iptables with suricata in nfqueue mode with 3 simple rules -
iptables -I FORWARD -j NFQUEUE
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE
Based on these I tried these rules -
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -j NFQUEUE
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -j NFQUEUE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE
Under this scenario the engine doesn’t see any traffic at all. My firewalld state -
# firewall-cmd --zone=drop --list-all
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources: ipset:blacklist4 ipset:bogons4 ipset:bogons6 ipset:country4 ipset:country6
services: ssh cockpit squid evebox
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule source ipset="sshguard4" drop
rule source ipset="sshguard6" drop
rule family="ipv6" source ipset="sshguard6" drop
rule family="ipv4" source ipset="sshguard4" drop
# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh mdns samba-client dhcpv6-client squid evebox ntopng
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
suricata state - nfqueue mode
# suricata -c /usr/local/etc/suricata/suricata.yaml -q 0
28/8/2020 -- 02:29:50 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 02:30:16 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
^C28/8/2020 -- 02:43:38 - <Notice> - Signal Received. Stopping engine.
28/8/2020 -- 02:43:38 - <Notice> - (W-NFQ#0) Treated: Pkts 0, Bytes 0, Errors 0
28/8/2020 -- 02:43:38 - <Notice> - (W-NFQ#0) Verdict: Accepted 0, Dropped 0, Replaced 0
Segmentation fault (core dumped)
suricata state - af-packet mode
# suricata -c /usr/local/etc/suricata/suricata.yaml --af-packet
28/8/2020 -- 03:09:46 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 03:10:12 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
^C28/8/2020 -- 03:11:11 - <Notice> - Signal Received. Stopping engine.
28/8/2020 -- 03:11:12 - <Notice> - Stats for 'eth0': pkts: 398627, drop: 0 (0.00%), invalid chksum: 0
28/8/2020 -- 03:11:12 - <Notice> - Stats for 'eth1': pkts: 3765193, drop: 20450 (0.54%), invalid chksum: 0
Some people will say switch to iptables but at this point that is not an option since I have implemented some firewalld specific mechanisms; firewalld block/unblock & ipset management is more convenient than iptables. Please help me understand proper firewalld rule syntax for setting up IPS.