<div dir="ltr"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:15px;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:baseline;clear:both;color:rgb(36,39,41)">:slaps forehead:</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:15px;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:baseline;clear:both;color:rgb(36,39,41)"><a href="https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/" rel="nofollow noreferrer" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;color:rgb(0,89,153);text-decoration-line:none">https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/</a></p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:15px;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:baseline;clear:both;color:rgb(36,39,41)">You can add <code style="margin:0px;padding:1px 5px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:13px;line-height:inherit;font-family:Consolas,Menlo,Monaco,"Lucida Console","Liberation Mono","DejaVu Sans Mono","Bitstream Vera Sans Mono","Courier New",monospace,sans-serif;vertical-align:baseline;background-color:rgb(239,240,241);white-space:pre-wrap">--queue-bypass</code>. I'll request that the documentation is updated. I'm not out of the woods, but past this issue.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:15px;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:baseline;clear:both;color:rgb(36,39,41)">Best,</p></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 29, 2017 at 4:59 PM, Jeff Dyke <span dir="ltr"><<a href="mailto:jeff.dyke@gmail.com" target="_blank">jeff.dyke@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I apologize that this is a bit of a x-post, since i also have it on SO: <a href="https://stackoverflow.com/questions/45948045/stopping-suricata-in-nfqueue-mode-with-fw-rules-enabled-kills-all-connections" target="_blank">https://stackoverflow.com/<wbr>questions/45948045/stopping-<wbr>suricata-in-nfqueue-mode-with-<wbr>fw-rules-enabled-kills-all-<wbr>connections</a><br><br>I have installed suricata 4.0 in IPS mode per the docs <a href="https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#suricata-yaml-nfq" target="_blank">https://suricata.readthedocs.<wbr>io/en/latest/configuration/<wbr>suricata-yaml.html#suricata-<wbr>yaml-nfq</a>:<br><br>I can start it with /etc/init.d/suricata start, but as soon as i stop it with /etc/init.d/suricata stop it will drop all connections to the box and not allow further connections. I have run:  sudo iptables -A OUTPUT -j NFQUEUE & sudo iptables -A INPUT -j NFQUEUE only after starting b/c if i run these beforehand, the same thing occurs, all connections are dropped and i can't ssh back into the box.<br><br>It will restart (with iptable rules enabled), but connections are on hold (can't type or ssh from another location) while the restart is in progress, and while it takes about 5 seconds, it does come back successfully.<br><br>This leads me to a few questions, but lets keep it at one, how can i add these firewall rules without having something listening reading NFQUEUE Since suricata will forward or drop, i assume since they don't get removed from the queue, they are never processed further.<br><div><br></div><div>If you want the SO rep, happy to get the answer there.  Any assistance is appreciated.</div><span class="HOEnZb"><font color="#888888"><div><br>Jeff</div></font></span></div>
</blockquote></div><br></div>