On 10/17/19 7:39 AM, Timo Sigurdsson wrote: > Hi, > > I use Shorewall on my router/gateway based on Debian 10 (buster). The machine > has multiple interfaces and zones with different policies and rules what they > are allowed to do. Now I would like to add Suricata to the mix for IDS > purposes (and eventually IPS at a later point). However, I don't fully > understand, how I would set this up exactly (without opening up my firewall > entirely). > > Ideally, what I would like to achieve is that Suricata only scans traffic > that is allowed through my external (WAN) interface. That means I don't wanna > bother it with packets that would be dropped anyway (either through specific > rules, default policy or blacklisted ipsets). > > Let's start with the less critical IDS only configuration via NFLOG: > I'm assuming if I were to put just two rules like this into the ALL section > of my shorewall rules file, Suricata would see all traffic passing through my > external interface, even the packets that would be droppped anyway: > NFLOG(1) net all > NFLOG(1) all net
Yes. > > So my first question is: If I wanted to pass only the accepted traffic to > Suricata, do I have to duplicate every rule that accepts packets with an > identical NFLOG rule in the ALL section of the rules file? Not really. I would create an IDS action as follows: /etc/shorewall/actions: IDS logjump # NFLOG(1) and Accept /etc/shorewall/action.IDS NFLOG(1) - - ACCEPT - - Now, replace any ACCEPT rules that you have in the NEW section of the rules file that have 'net' as the SOURCE or DEST with equivalent IDS rules. In the ESTABLISHED and RELATED sections, add: NFLOG(1) net all NFLOG(1) all net If so, is there anything I need to consider regarding MASQUERADE rules in the snat file? No. And in the policy file, can I add NFLOG(1) as the log level to any zone that has a default ACCEPT policy or is the specification of the NFLOG group ip not allowed in the policies file? The group id can be used in the policy file. When you move to IPS, you can replace the ACCEPT policy with an NFQUEUE policy. > > > My second question is about NFQUEUE (with Suricata in IPS mode). If I > understand the concept correctly, the response of the userspace program with > NFQUEUE determines if a packet is accepted or dropped. So, just two NFQUEUE > rules as shown above, would be hazardous as that would allow all traffic > passing through the external interface unless dropped by Suricata. So, I > guess I could replace all my ACCEPT rules with NFQUEUE rules and that would > only change the firewall behaviour if Suricata decides to block certain > packets/sources. Otherwise the firewall would behave just like before. Is > that correct so far? Yes. Then adding the bypass option would be safe, too. Correct? Correct. Do I need to take anything special into account with regards to NAT helper rules and WHITELIST rules in the blacklist file? The blacklist file was superseded by the blrules file years ago. But WHITELIST rules in blrules don't need any special treatment. Neither do NAT helper rules. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
