From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b4vn62PpPz2ybk for ; Sun, 25 May 2025 10:11:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b4vn263LRz2xVX for ; Sun, 25 May 2025 10:11:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b4vn20NgWz62 for ; Sun, 25 May 2025 10:11:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748167878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Seq/d/siC+ZB3hwpJA1gDt93i72TE5nMD7Sr40Vlt2U=; b=N9I29A8tocr+otnKehFABfdbWpPbNRpcjQy5SiNv5jCf6p2GIf1Z0Q5sp1L03uZ3xT4bQ0 CJHJ8foV1H8tTfDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748167878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Seq/d/siC+ZB3hwpJA1gDt93i72TE5nMD7Sr40Vlt2U=; b=mHZqIXZgdQ06kPOTpUI8aEI57chK8+0oQmF8uBwUoPA1dPwyQtN1mZ3V4ct7DCQafsa3PE U/yxJLC3SkaTKhj5KdBqmxZQ9RMh8N7gWFCsvsRG5YdmqsLzeH+5aM0VzOFQXa6k/QXOFT FM96G2cZx30PMLxJv+egNJnaCZZacu3jfVnjTopvv4IJa+1icJwhmRsP4HlCh7aiwrzH7B 6n6oKPVVwO9H7c1xmXnYgsW86EWFJF3ji1NgrLrsSAV69pQky2AuCOoM5kO0dLsDFv+Fh+ LN8BBp8JwqIkhkjDpxXnHJaRTyv7gyszdLxinsVXTDua2Inc4LWXtXkdcCIcqw== Message-ID: <6822079a-7247-4727-95dd-6d7032eb60d1@ipfire.org> Date: Sun, 25 May 2025 12:11:13 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: CU195 Testing - WireGuard IPS ramblings From: Adolf Belka To: development@lists.ipfire.org References: <6bef4edafe9cc9423a3a702a06ba4561@ipfire.org> Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi All, On 25/05/2025 11:58, Adolf Belka wrote: > Hi Adam, > On 20/05/2025 23:28, Adam Gibbons wrote: >> Hi all, >> >> Recently I’ve been keeping myself busy testing the newly released CU195 testing build, which includes WireGuard support (insert ITS_ABOUT_TIME emoji here). Today I wanted to test if the IPS was actually inspecting and blocking traffic on the newly added interface. >> >> I thought I’d share my testing approach and findings, in case it’s useful, interesting to anyone else, or for documentation. >> >> Test Methodology: >> - Set up a Fedora VM, connected to IPFire via WireGuard as a Host-To-Net peer (roadwarrior). >> - Enabled IPS only on the WireGuard interface (disabled on RED and GREEN etc). >> - To check if Suricata was properly inspecting traffic inside the tunnel, I looked for a rule that would be safe and easy to trigger on purpose. >> >> I settled on this rule: >>      GPL MISC source port 53 to <1024 (sid:2100504) >>      https://threatintel.proofpoint.com/sid/2100504 >> For information this rule can be found in emerging-misc.rules in the Emerging Threats community ruleset. Regards, Adolf. >> I picked this because it’s straightforward to match, unlikely to cause noise or false positives, and works well for a basic end-to-end test. >> >> How I triggered the rule: >>  From the Fedora VM (192.168.26.5), I used hping3 to send a SYN packet with source port 53 to IPFire’s external IP on port 80: >> >>      hping3 -S -p 80 -s 53 >> >> This created exactly the traffic the rule is looking for. >> >> Result: >> The alert appeared in Suricata’s log: >> >>      Date:   05/20 21:43:21 >>      Name:   GPL MISC source port 53 to <1024 >>      Priority: 2 >>      Type:   Potentially Bad Traffic >>      IP info: 192.168.26.5:53 -> :80 >>      SID:    2100504 >> >> This test confirms IPS is inspecting WireGuard tunnel traffic as intended in CU195. > > That is something I have been looking for, for my testing activities. My test systems are vm's and are behind my "production" IPFire system and therefore nothing much gets triggered in the IPS on my vm systems as it has all been filtered out by my main IPFire. > Your approach gives me something to create a condition that should be picked up. > > I will be giving it a test to confirm I can get it working. > > Thanks very much. > > Regards, > Adolf. > >> >> Bug reports are great, but it's better when something just works. >> >> Cheers, >> Adam >> >