[Oisf-users] having NFQUEUE without a suricata instance running blocks all connections

Tue Aug 29 21:13:31 UTC 2017

:slaps forehead:

https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/

You can add --queue-bypass. I'll request that the documentation is updated.
I'm not out of the woods, but past this issue.

Best,

On Tue, Aug 29, 2017 at 4:59 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:

> I apologize that this is a bit of a x-post, since i also have it on SO:
> https://stackoverflow.com/questions/45948045/stopping-
> suricata-in-nfqueue-mode-with-fw-rules-enabled-kills-all-connections
>
> I have installed suricata 4.0 in IPS mode per the docs
> https://suricata.readthedocs.io/en/latest/configuration/
> suricata-yaml.html#suricata-yaml-nfq:
>
> I can start it with /etc/init.d/suricata start, but as soon as i stop it
> with /etc/init.d/suricata stop it will drop all connections to the box and
> not allow further connections. I have run:  sudo iptables -A OUTPUT -j
> NFQUEUE & sudo iptables -A INPUT -j NFQUEUE only after starting b/c if i
> run these beforehand, the same thing occurs, all connections are dropped
> and i can't ssh back into the box.
>
> It will restart (with iptable rules enabled), but connections are on hold
> (can't type or ssh from another location) while the restart is in progress,
> and while it takes about 5 seconds, it does come back successfully.
>
> This leads me to a few questions, but lets keep it at one, how can i add
> these firewall rules without having something listening reading NFQUEUE
> Since suricata will forward or drop, i assume since they don't get removed
> from the queue, they are never processed further.
>
> If you want the SO rep, happy to get the answer there.  Any assistance is
> appreciated.
>
> Jeff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170829/5d0e6bbc/attachment-0002.html>