Suricata Integration / Firewall Iptables

bfwdd · Feb 10, 2022

Hello everyone,

according to WIKI the suricata integration take place under /etc/pve/firewall/<VMID>.fw, and the rule will be automatically added to the iptables . It is exactly my case however i am not receiving alerts at Suricata. this is how the rule looks like:


2    NFQUEUE    all  -- anywhere   anywhere PHYSDEV match --physdev-out tap128i0 --physdev-is-bridged NFQUEUE num 0 bypass

- How exactly the condition (--physdev-is-bridged) in this case works and how can i solve this issue without sending all traffic to NFQUEUE 0 ?

I tried the following rules instead, which are both working in our case:


PHYSDEV match --physdev-is-in --physdev-out tap128i0 NFQUEUE num 0 bypass
PHYSDEV match --physdev-in tap128i0 --physdev-is-out NFQUEUE num 0 bypass

Thank you in advance

spirit · Feb 11, 2022

Hi,
I add wrote the ips code some year ago, but I don't use it anymore, so maybe something have change.

can you send the result of "iptables-save" with working config vs not working config ?

I could look to fix the firewall code if it's not working fine anymore.

bfwdd · Feb 11, 2022

Hey,

The standard Config (not working):
iptables PVEFW-IPS


Chain PVEFW-IPS (1 references)
pkts bytes target     prot opt in     out     source               destination         
 54  2k NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap128i0 --physdev-is-bridged NFQUEUE num 0 bypass

The working Config:
iptables PVEFW-IPS


Chain PVEFW-IPS (1 references)
pkts bytes target     prot opt in     out     source               destination         
 3054  818K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap128i0 --physdev-is-out NFQUEUE num 0 bypass
 2757  450K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-in --physdev-out tap128i0 NFQUEUE num 0 bypass
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:jUY9hA3Z9cu3QYun8TeZz86ssIo */

difference between Firewall.pm Original / my Modification


# diff Firewall.pm.orig Firewall.pm
2441,2442c2441,2443
<         ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged", "-j $nfqueue");
<     }
---
>         ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-in $iface --physdev-is-out", "-j $nfqueue");
>         ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-in", "-j $nfqueue");    
>       }

Thanks in advance

spirit · Feb 11, 2022

thanks !

I'll test on my side and send a patch to the pve-devel mailing list next week.

Search

Search

Suricata Integration / Firewall Iptables

bfwdd

Renowned Member

spirit

Distinguished Member

bfwdd

Renowned Member

spirit

Distinguished Member

We value your privacy