<!DOCTYPE html>
<html><head>
<meta charset="UTF-8">
</head><body><p>There are many ways to deal with this, based on what the initial reasoning was for restarting/stopping Suricata.</p><p>If it is to reload new rules you can do that on the fly using kill command. <br></p><p>Otherwise, you could use a script, that first sets the iptables policy to accept and even a forward iptables rule to accept, then restart suricata, iptables -F and then new script to reload iptables as required. I may have missed a step or two here, but hopefully you get my meaning.<br></p><p>See the point is that you can't send some folks to a bridge that you have just blown up, and expect them to cross it.<br></p><p>Amar<br></p><blockquote type="cite">On August 30, 2017 at 5:01 PM Jeff Dyke <jeff.dyke@gmail.com> wrote:<br><br><div dir="ltr">I'm not positive, but the man page on ubuntu 16.04 4.4.0-93-generic - (iptables v1.6.0) also does not show it. <div><br></div><div>You can also do: <span style="background-color: #eff0f1; color: #242729; font-family: Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif; font-size: 13px;">-A INPUT -s 123.456.789.101/08 -p tcp --dport 22 -j ACCEPT</span></div><div><br></div><div>As an early iptables rule, but that does not solve the problem as much as allow you to fix it.<span style="background-color: #eff0f1; color: #242729; font-family: Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif; font-size: 13px;"><br></span></div><div><br></div><div>I would just try to add the rule with the flag, and see if it complains. I use salt for configuration and was looking at their iptables code to see how to add it to my suricata states, and noticed it has been in their source for a while.</div><div><br></div><div>Jeff</div></div><div class="ox-a53778e80e-ox-80b8ea4ef4-gmail_extra"><br><div class="ox-a53778e80e-ox-80b8ea4ef4-gmail_quote">On Wed, Aug 30, 2017 at 4:40 PM, James Moe <<a href="mailto:jimoe@sohnen-moe.com" target="_blank">jimoe@sohnen-moe.com</a>> wrote:<br><blockquote><span class="">On 08/29/2017 02:13 PM, Jeff Dyke wrote:<br> > <a href="https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/" target="_blank">https://home.regit.org/<wbr/>netfilter-en/using-nfqueue-<wbr/>and-libnetfilter_queue/</a><br> ><br> </span>> You can add |--queue-bypass|. I'll request that the documentation is<br> <span class="">> updated. I'm not out of the woods, but past this issue.<br> ><br> </span> In opensuse 42.2 (linux 4.4.79-18.26-default x86_64) the iptables<br> manual does not show "--queue-bypass" as an option.<br> Is the option undocumented, hidden, or unsupported? Or does it require<br> a custom build of iptables?<br> <span class="ox-a53778e80e-ox-80b8ea4ef4-HOEnZb"><span style="color: #888888;"><br> --<br> James Moe<br> moe dot james at sohnen-moe dot com<br> <a>520.743.3936</a><br> Think.<br> <br> </span></span><br>______________________________<wbr/>_________________<br> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr/>openinfosecfoundation.org</a><br> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr/>support/</a><br> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr/>openinfosecfoundation.org/<wbr/>mailman/listinfo/oisf-users</a><br> <br> Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br> Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr/>training/</a><br></blockquote></div><br></div>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br><br>Conference: https://suricon.net<br>Trainings: https://suricata-ids.org/training/</blockquote><p><br></p><div class="ox-a53778e80e-io-ox-signature"><p>Kind regards<br></p><p>Amar Rathore</p><p>CounterSnipe Systems LLC <br>Tel: +1 617 701 7213 <br>Mobile: +44 (0) 7876 233333 <br>Skype ID: amarrathore <br>Web: www.countersnipe.com <http://www.countersnipe.com/> <br><br></p><p><span style="font-size: 8pt;">This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.</span></p><p><span style="font-size: 8pt;">E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.</span> <br></p></div></body></html>