<div dir="ltr">will definitely do that, Thanks Eric.<div><br></div><div>Jeff</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 29, 2017 at 5:24 PM, Eric Leblond <span dir="ltr"><<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
On Tue, 2017-08-29 at 17:13 -0400, Jeff Dyke wrote:<br>
> :slaps forehead:<br>
><br>
> <a href="https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_qu" rel="noreferrer" target="_blank">https://home.regit.org/<wbr>netfilter-en/using-nfqueue-<wbr>and-libnetfilter_qu</a><br>
<span class="">> eue/<br>
><br>
> You can add --queue-bypass. I'll request that the documentation is<br>
> updated. I'm not out of the woods, but past this issue.<br>
<br>
</span>Fell free to update <a href="https://github.com/inliniac/suricata/blob/master/do
c/userguide/configuration/suricata-yaml.rst" rel="noreferrer" target="_blank">https://github.com/inliniac/<wbr>suricata/blob/master/do<br>
c/userguide/configuration/<wbr>suricata-yaml.rst</a> and do a pull request so we<br>
have a improved documentation.<br>
<br>
You can also set delayed-detect: yes in suricata.yaml to start to treat<br>
packet before the detection engine is started.<br>
<br>
++<br>
<div><div class="h5"><br>
><br>
> Best,<br>
><br>
><br>
> On Tue, Aug 29, 2017 at 4:59 PM, Jeff Dyke <<a href="mailto:jeff.dyke@gmail.com">jeff.dyke@gmail.com</a>><br>
> wrote:<br>
> > I apologize that this is a bit of a x-post, since i also have it on<br>
> > SO: <a href="https://stackoverflow.com/questions/45948045/stopping-suricata-" rel="noreferrer" target="_blank">https://stackoverflow.com/<wbr>questions/45948045/stopping-<wbr>suricata-</a><br>
> > in-nfqueue-mode-with-fw-rules-<wbr>enabled-kills-all-connections<br>
> ><br>
> > I have installed suricata 4.0 in IPS mode per the docs <a href="https://suri" rel="noreferrer" target="_blank">https://suri</a><br>
> > <a href="http://cata.readthedocs.io/en/latest/configuration/suricata-" rel="noreferrer" target="_blank">cata.readthedocs.io/en/latest/<wbr>configuration/suricata-</a><br>
> > yaml.html#suricata-yaml-nfq:<br>
> ><br>
> > I can start it with /etc/init.d/suricata start, but as soon as i<br>
> > stop it with /etc/init.d/suricata stop it will drop all connections<br>
> > to the box and not allow further connections. I have run: sudo<br>
> > iptables -A OUTPUT -j NFQUEUE & sudo iptables -A INPUT -j NFQUEUE<br>
> > only after starting b/c if i run these beforehand, the same thing<br>
> > occurs, all connections are dropped and i can't ssh back into the<br>
> > box.<br>
> ><br>
> > It will restart (with iptable rules enabled), but connections are<br>
> > on hold (can't type or ssh from another location) while the restart<br>
> > is in progress, and while it takes about 5 seconds, it does come<br>
> > back successfully.<br>
> ><br>
> > This leads me to a few questions, but lets keep it at one, how can<br>
> > i add these firewall rules without having something listening<br>
> > reading NFQUEUE Since suricata will forward or drop, i assume since<br>
> > they don't get removed from the queue, they are never processed<br>
> > further.<br>
> ><br>
> > If you want the SO rep, happy to get the answer there. Any<br>
> > assistance is appreciated.<br>
> ><br>
> > Jeff<br>
> ><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-" rel="noreferrer" target="_blank">http://suricata-</a><br>
> <a href="http://ids.org/support/" rel="noreferrer" target="_blank">ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-u</a><br>
> sers<br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
<span class="HOEnZb"><font color="#888888">--<br>
Eric Leblond <<a href="mailto:eric@regit.org">eric@regit.org</a>><br>
Blog: <a href="https://home.regit.org/" rel="noreferrer" target="_blank">https://home.regit.org/</a><br>
</font></span></blockquote></div><br></div>