[Oisf-users] having NFQUEUE without a suricata instance running blocks all connections
Jeff Dyke
jeff.dyke at gmail.com
Tue Aug 29 20:59:11 UTC 2017
I apologize that this is a bit of a x-post, since i also have it on SO:
https://stackoverflow.com/questions/45948045/stopping-suricata-in-nfqueue-mode-with-fw-rules-enabled-kills-all-connections
I have installed suricata 4.0 in IPS mode per the docs
https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#suricata-yaml-nfq
:
I can start it with /etc/init.d/suricata start, but as soon as i stop it
with /etc/init.d/suricata stop it will drop all connections to the box and
not allow further connections. I have run: sudo iptables -A OUTPUT -j
NFQUEUE & sudo iptables -A INPUT -j NFQUEUE only after starting b/c if i
run these beforehand, the same thing occurs, all connections are dropped
and i can't ssh back into the box.
It will restart (with iptable rules enabled), but connections are on hold
(can't type or ssh from another location) while the restart is in progress,
and while it takes about 5 seconds, it does come back successfully.
This leads me to a few questions, but lets keep it at one, how can i add
these firewall rules without having something listening reading NFQUEUE
Since suricata will forward or drop, i assume since they don't get removed
from the queue, they are never processed further.
If you want the SO rep, happy to get the answer there. Any assistance is
appreciated.
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170829/6c7d6d60/attachment.html>
More information about the Oisf-users
mailing list