[Oisf-users] AF_Packet Mode vs. NFQUEUE Mode

Leonard Jacobs ljacobs at netsecuris.com
Fri Nov 13 14:00:59 UTC 2015

There is an issue with SonicWALL firewalls when using AF_Packet mode in Suricata running  on a server. Seems to be an incompatibilitu because packets drop. Loss of IPSec connectivity, in particular phase1 handshake, is experienced. If Suricata is inline with Lan side then lan traffic appears to get dropped.

We had this issue 2 years ago and Sonicwall tech support made some obscure change in their firewall to fix it. We just dont remember what the fix was.

I dont know if there is anything in Suricata that I could do to fix this. I have turned off all nic offliading.



From: Eric Leblond [mailto:eric at regit.org]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com], oisf-users at lists.openinfosecfoundation.org [mailto:oisf-users at lists.openinfosecfoundation.org]
Sent: Fri, 13 Nov 2015 07:37:51 -0600
Subject: Re: [Oisf-users] AF_Packet Mode vs. NFQUEUE Mode

Hello Leonard,
  On Fri, 2015-11-13 at 07:08 -0600, Leonard Jacobs wrote:
  > What happens if the interfaces are bridged when using AF_Packet mode?
  > Does that cause problems since this mode performs its own copy-mode
  > between interfaces?
  That would cause a duplication of packets:
   * Bridge forward packets from iface 1 to 2
   * Suricata see packets on iface 1 and copy packets on iface 2
  > In NFQUEUE IPS mode, are the interfaces supposed to be bridged?  Will
  > IPTables not function properly without the interfaces being bridged?
  No bridge needed. Using it is even the buggiest setup that can be done
  (currently unexplained packets loss in that mode).
  > Thanks.
  > Leonard Jacobs
  > _______________________________________________
  > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
  > Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
  > ort/
  > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
  > sers
  > Suricata User Conference November 4 & 5 in Barcelona: http://oisfeven
  > ts.net
  Eric Leblond <eric at regit.org>
  Blog: https://home.regit.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151113/b679ac36/attachment-0002.html>

More information about the Oisf-users mailing list