Suricata Integration / Firewall Iptables

bfwdd

bfwdd

Renowned Member
Proxmox Subscriber
Mar 29, 2016
22
3
68
Dresden
www.bfw-dresden.de
Hello everyone,

according to WIKI the suricata integration take place under /etc/pve/firewall/<VMID>.fw, and the rule will be automatically added to the iptables . It is exactly my case however i am not receiving alerts at Suricata. this is how the rule looks like:
2 NFQUEUE all -- anywhere anywhere PHYSDEV match --physdev-out tap128i0 --physdev-is-bridged NFQUEUE num 0 bypass
- How exactly the condition (--physdev-is-bridged) in this case works and how can i solve this issue without sending all traffic to NFQUEUE 0 ?

I tried the following rules instead, which are both working in our case:
PHYSDEV match --physdev-is-in --physdev-out tap128i0 NFQUEUE num 0 bypass PHYSDEV match --physdev-in tap128i0 --physdev-is-out NFQUEUE num 0 bypass

Thank you in advance
 
Last edited:
Hi,
I add wrote the ips code some year ago, but I don't use it anymore, so maybe something have change.

can you send the result of "iptables-save" with working config vs not working config ?

I could look to fix the firewall code if it's not working fine anymore.
 
Hey,

The standard Config (not working):
iptables PVEFW-IPS
Chain PVEFW-IPS (1 references) pkts bytes target prot opt in out source destination 54 2k NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap128i0 --physdev-is-bridged NFQUEUE num 0 bypass

The working Config:
iptables PVEFW-IPS
Chain PVEFW-IPS (1 references) pkts bytes target prot opt in out source destination 3054 818K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap128i0 --physdev-is-out NFQUEUE num 0 bypass 2757 450K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-out tap128i0 NFQUEUE num 0 bypass 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:jUY9hA3Z9cu3QYun8TeZz86ssIo */

difference between Firewall.pm Original / my Modification
# diff Firewall.pm.orig Firewall.pm 2441,2442c2441,2443 < ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged", "-j $nfqueue"); < } --- > ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-in $iface --physdev-is-out", "-j $nfqueue"); > ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-in", "-j $nfqueue"); > }

Thanks in advance
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back