firewalld setup for suricata IPS running in nfqueue moe

Greetings to everyone.

I recently switched to firewalld since it is default in SUSE. I have three interfaces, eth0 (WAN) in drop zone, eth1 (LAN) in internal zone and wlan0 in dmz. I’ve compiled & installed suricata-5.0.3 on system but couldn’t get nfqueue mode working, the engine doesn’t see any traffic.

I used to use iptables with suricata in nfqueue mode with 3 simple rules -


iptables -I FORWARD -j NFQUEUE
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE

Based on these I tried these rules -

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -j NFQUEUE
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -j NFQUEUE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE

Under this scenario the engine doesn’t see any traffic at all. My firewalld state -

# firewall-cmd --zone=drop --list-all
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth0
  sources: ipset:blacklist4 ipset:bogons4 ipset:bogons6 ipset:country4 ipset:country6
  services: ssh cockpit squid evebox
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule source ipset="sshguard4" drop
        rule source ipset="sshguard6" drop
        rule family="ipv6" source ipset="sshguard6" drop
        rule family="ipv4" source ipset="sshguard4" drop

# firewall-cmd --zone=internal --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh mdns samba-client dhcpv6-client squid evebox ntopng
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

suricata state - nfqueue mode

# suricata -c /usr/local/etc/suricata/suricata.yaml -q 0
28/8/2020 -- 02:29:50 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 02:30:16 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
^C28/8/2020 -- 02:43:38 - <Notice> - Signal Received.  Stopping engine.
28/8/2020 -- 02:43:38 - <Notice> - (W-NFQ#0) Treated: Pkts 0, Bytes 0, Errors 0
28/8/2020 -- 02:43:38 - <Notice> - (W-NFQ#0) Verdict: Accepted 0, Dropped 0, Replaced 0
Segmentation fault (core dumped)

suricata state - af-packet mode

# suricata -c /usr/local/etc/suricata/suricata.yaml --af-packet
28/8/2020 -- 03:09:46 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 03:10:12 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
^C28/8/2020 -- 03:11:11 - <Notice> - Signal Received.  Stopping engine.
28/8/2020 -- 03:11:12 - <Notice> - Stats for 'eth0':  pkts: 398627, drop: 0 (0.00%), invalid chksum: 0
28/8/2020 -- 03:11:12 - <Notice> - Stats for 'eth1':  pkts: 3765193, drop: 20450 (0.54%), invalid chksum: 0

Some people will say switch to iptables but at this point that is not an option since I have implemented some firewalld specific mechanisms; firewalld block/unblock & ipset management is more convenient than iptables. Please help me understand proper firewalld rule syntax for setting up IPS.

This issue is resolved automagically, the detection engine & logging is working after reboot.