[Oisf-users] having NFQUEUE without a suricata instance running blocks all connections

Jeff Dyke jeff.dyke at gmail.com
Tue Aug 29 21:26:08 UTC 2017


will definitely do that, Thanks Eric.

Jeff

On Tue, Aug 29, 2017 at 5:24 PM, Eric Leblond <eric at regit.org> wrote:

> Hi,
>
> On Tue, 2017-08-29 at 17:13 -0400, Jeff Dyke wrote:
> > :slaps forehead:
> >
> > https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_qu
> > eue/
> >
> > You can add --queue-bypass. I'll request that the documentation is
> > updated. I'm not out of the woods, but past this issue.
>
> Fell free to update https://github.com/inliniac/suricata/blob/master/do
> c/userguide/configuration/suricata-yaml.rst and do a pull request so we
> have a improved documentation.
>
> You can also set delayed-detect: yes in suricata.yaml to start to treat
> packet before the detection engine is started.
>
> ++
>
> >
> > Best,
> >
> >
> > On Tue, Aug 29, 2017 at 4:59 PM, Jeff Dyke <jeff.dyke at gmail.com>
> > wrote:
> > > I apologize that this is a bit of a x-post, since i also have it on
> > > SO: https://stackoverflow.com/questions/45948045/stopping-suricata-
> > > in-nfqueue-mode-with-fw-rules-enabled-kills-all-connections
> > >
> > > I have installed suricata 4.0 in IPS mode per the docs https://suri
> > > cata.readthedocs.io/en/latest/configuration/suricata-
> > > yaml.html#suricata-yaml-nfq:
> > >
> > > I can start it with /etc/init.d/suricata start, but as soon as i
> > > stop it with /etc/init.d/suricata stop it will drop all connections
> > > to the box and not allow further connections. I have run:  sudo
> > > iptables -A OUTPUT -j NFQUEUE & sudo iptables -A INPUT -j NFQUEUE
> > > only after starting b/c if i run these beforehand, the same thing
> > > occurs, all connections are dropped and i can't ssh back into the
> > > box.
> > >
> > > It will restart (with iptable rules enabled), but connections are
> > > on hold (can't type or ssh from another location) while the restart
> > > is in progress, and while it takes about 5 seconds, it does come
> > > back successfully.
> > >
> > > This leads me to a few questions, but lets keep it at one, how can
> > > i add these firewall rules without having something listening
> > > reading NFQUEUE Since suricata will forward or drop, i assume since
> > > they don't get removed from the queue, they are never processed
> > > further.
> > >
> > > If you want the SO rep, happy to get the answer there.  Any
> > > assistance is appreciated.
> > >
> > > Jeff
> > >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-
> > ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> > sers
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> --
> Eric Leblond <eric at regit.org>
> Blog: https://home.regit.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170829/618aee14/attachment-0002.html>


More information about the Oisf-users mailing list