[Oisf-users] Moving NFQUEUE to a different place in iptable's chain
James Moe
jimoe at sohnen-moe.com
Wed Oct 3 21:10:18 UTC 2018
suricata 4.0.4
linux 4.12.14-lp150.12.7-default x86_64
I had this idea to use fail2ban to reduce the load on suricata. One of
most common log entries is for rule #2220008; the rule catches
fire-and-forget SMTP messages.
The idea: By blocking recurring IP addresses this would reduce the
load on suricata. However, I discovered this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2103K 873M NFQUEUE all -- * * 0.0.0.0/0
0.0.0.0/0 NFQUEUE num 0 bypass
14472 14M f2b-suricata tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
13143 14M f2b-assp tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25
Which makes the fail2ban effort moot.
Is there a way to change the order of the chains?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181003/ace74b4c/attachment.sig>
More information about the Oisf-users
mailing list