From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 20/20] firewall: Move the IPS after the NAT marking
Date: Tue, 10 Sep 2024 14:37:33 +0000 [thread overview]
Message-ID: <20240910143748.3469271-21-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1461 bytes --]
This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.
Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
src/initscripts/system/firewall | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d37cffd7..7dbbe38cb 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@ iptables_init() {
iptables -A FORWARD -i tun+ -j OVPNBLOCK
iptables -A FORWARD -o tun+ -j OVPNBLOCK
- # IPS (Suricata) chains
- iptables -t mangle -N IPS
-
- for chain in PREROUTING POSTROUTING; do
- iptables -t mangle -A "${chain}" -j IPS
- done
-
# OpenVPN transfer network translation
iptables -t nat -N OVPNNAT
iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@ iptables_init() {
-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
fi
+ # IPS (Suricata) chains
+ iptables -t mangle -N IPS
+
+ for chain in PREROUTING POSTROUTING; do
+ iptables -t mangle -A "${chain}" -j IPS
+ done
+
# RED chain, used for the red interface
iptables -N REDINPUT
iptables -A INPUT -j REDINPUT
--
2.39.2
prev parent reply other threads:[~2024-09-10 14:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 14:37 Addressing #13764 Michael Tremer
2024-09-10 14:37 ` [PATCH 01/20] suricata: Move the IPS into the mangle table Michael Tremer
2024-09-10 14:37 ` [PATCH 02/20] initscripts: Fix bash function definitions in suricata Michael Tremer
2024-09-10 14:37 ` [PATCH 03/20] suricata: Use getconf to determine the number of processors Michael Tremer
2024-09-10 14:37 ` [PATCH 04/20] suricata: Remove some unused constants Michael Tremer
2024-09-10 14:37 ` [PATCH 05/20] suricata: Add whitelist to iptables Michael Tremer
2024-09-10 14:37 ` [PATCH 06/20] suricata: Replace removed CPU count function Michael Tremer
2024-09-10 14:37 ` [PATCH 07/20] suricata: Be more efficient with marks Michael Tremer
2024-09-10 14:37 ` [PATCH 08/20] suricata: Add a watcher to restart on unexpected termination Michael Tremer
2024-09-10 14:37 ` [PATCH 09/20] suricata: Start the new watcher in the background Michael Tremer
2024-09-10 14:37 ` [PATCH 10/20] suricata: Restore the interface selection Michael Tremer
2024-09-10 14:37 ` [PATCH 11/20] suricata: Remove superfluous bits from the initscript Michael Tremer
2024-09-10 14:37 ` [PATCH 12/20] suricata: Don't load /var/ipfire/ethernet/settings Michael Tremer
2024-09-10 14:37 ` [PATCH 13/20] suricata: Add option to scan WireGuard Michael Tremer
2024-09-10 14:37 ` [PATCH 14/20] suricata: Fix broken spacing in the settings section Michael Tremer
2024-09-10 14:37 ` [PATCH 15/20] ids.cgi: Use new style tables for rulesets Michael Tremer
2024-09-10 14:37 ` [PATCH 16/20] ids.cgi: Use new-style table for whitelist entries Michael Tremer
2024-09-10 14:37 ` [PATCH 17/20] ids.cgi: Sort " Michael Tremer
2024-09-10 14:37 ` [PATCH 18/20] ids.cgi: Remove box from the top section Michael Tremer
2024-09-10 14:37 ` [PATCH 19/20] ids.cgi: Fix detection for the Suricata process Michael Tremer
2024-09-10 14:37 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240910143748.3469271-21-michael.tremer@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox