From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 05/20] suricata: Add whitelist to iptables Date: Tue, 10 Sep 2024 14:37:18 +0000 Message-ID: <20240910143748.3469271-6-michael.tremer@ipfire.org> In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3374974322121688881==" List-Id: --===============3374974322121688881== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This allows us to workaround better against any problems in Suricata because we never send any whitelisted packets to the IPS in the first place. Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index c307e358c..14b48b5bd 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -75,6 +75,21 @@ generate_fw_rules() { # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS= _REPEAT_MASK ))" -j RETURN =20 + # Never send any whitelisted packets to the IPS + if [ -r "/var/ipfire/suricata/ignored" ]; then + local id network remark enabled rest + + while IFS=3D',' read -r id network remark enabled rest; do + echo "$network" + echo "$remark" + # Skip disabled entries + [ "${enabled}" =3D "enabled" ] || continue + + iptables -w -t mangle -A IPS -s "${network}" -j RETURN + iptables -w -t mangle -A IPS -d "${network}" -j RETURN + done < "/var/ipfire/suricata/ignored" + fi + # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" =20 --=20 2.39.2 --===============3374974322121688881==--