[Shorewall-users] NFQUEUE and suricata/snort inline

Fri, 09 Dec 2016 08:18:17 -0800 

Hi,

I'm running Suricata on a shorewall gateway with the following command:

suricata -q 0 -c /etc/suricata/suricata.yaml

The shorewall system provides Internet access to 3 ISPs (to/from) and has 3 
zones defined for that: net{1,2,3}.

My goal is to have Suricata or Snort inline analyze ONLY Internet traffic FROM 
net{1,2,3} to any other zone. I understand that Shorewall must "pass" traffic 
to the same iptables queue where Suricata or Snort is listening.

I configured the Shorewall rules file as follows:

?SECTION ALL
NFQUEUE(0)     net1    all
NFQUEUE(0)     net2    all
NFQUEUE(0)     net3    all
NFQUEUE(0)     all     net1
NFQUEUE(0)     all     net2
NFQUEUE(0)     all     net3
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
[...Some DROP rules first...]
NFQUEUE(0)     net1    all
NFQUEUE(0)     net2    all
NFQUEUE(0)     net3    all
NFQUEUE(0)     all     net1
NFQUEUE(0)     all     net2
NFQUEUE(0)     all     net3
[...Some ACCEPT rules such as:]
ACCEPT  net3 $FW tcp 25
DNAT  net2 loc:10.215.144.66 tcp 80,443

My first doubt is if I can leave out "NFQUEUE(0)     all     net{1,2,3}".

In any case, when I restart shorewall I get several warnings such as:

WARNING: One or more unreachable rules in chain net*-* have been discarded rules

If I search for the discarded rules I find entries such as:

Ping/ACCEPT     net3:IP1,IP2  $FW
DNAT    net3    loc:10.215.144.66   tcp   80    -       -       30/min:35
DNAT    net2    loc:10.215.144.66   tcp   80,443        -       -       
30/min:35

So I'm not sure I understand how NFQUEUE() works.
Let's say a packet comes from net2 and reaches Shorewall. It should go to queue 
0 and Suricata should see it (and it seems to be the case right now).
Suricata can then accept or drop the packet according to its own rules. If it 
drops the packet then I guess shorewall is out of the picture. However, if it 
accepts it or is only in IDS mode then I suppose it will go down according to 
the shorewall rules file, right?
So, if an Internet host tried to access port 80 from net2 then it's traffic 
should first go into queue 0, analyzed by Suricata, and if not dropped, finally 
accepted by the DNAT rule mentioned above in Shorewall, correct?

If so, why are the rules "unreachable" according to Shorewall?

Thanks,

Vieri

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to