From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: CU195 Testing - WireGuard IPS ramblings
Date: Sun, 25 May 2025 11:58:13 +0200 [thread overview]
Message-ID: <f88a189f-4866-4e23-b1f9-ed6b7b424092@ipfire.org> (raw)
In-Reply-To: <6bef4edafe9cc9423a3a702a06ba4561@ipfire.org>
Hi Adam,
On 20/05/2025 23:28, Adam Gibbons wrote:
> Hi all,
>
> Recently I’ve been keeping myself busy testing the newly released CU195 testing build, which includes WireGuard support (insert ITS_ABOUT_TIME emoji here). Today I wanted to test if the IPS was actually inspecting and blocking traffic on the newly added interface.
>
> I thought I’d share my testing approach and findings, in case it’s useful, interesting to anyone else, or for documentation.
>
> Test Methodology:
> - Set up a Fedora VM, connected to IPFire via WireGuard as a Host-To-Net peer (roadwarrior).
> - Enabled IPS only on the WireGuard interface (disabled on RED and GREEN etc).
> - To check if Suricata was properly inspecting traffic inside the tunnel, I looked for a rule that would be safe and easy to trigger on purpose.
>
> I settled on this rule:
> GPL MISC source port 53 to <1024 (sid:2100504)
> https://threatintel.proofpoint.com/sid/2100504
>
> I picked this because it’s straightforward to match, unlikely to cause noise or false positives, and works well for a basic end-to-end test.
>
> How I triggered the rule:
> From the Fedora VM (192.168.26.5), I used hping3 to send a SYN packet with source port 53 to IPFire’s external IP on port 80:
>
> hping3 -S -p 80 -s 53 <ENDPOINT_IP>
>
> This created exactly the traffic the rule is looking for.
>
> Result:
> The alert appeared in Suricata’s log:
>
> Date: 05/20 21:43:21
> Name: GPL MISC source port 53 to <1024
> Priority: 2
> Type: Potentially Bad Traffic
> IP info: 192.168.26.5:53 -> <ENDPOINT_IP>:80
> SID: 2100504
>
> This test confirms IPS is inspecting WireGuard tunnel traffic as intended in CU195.
That is something I have been looking for, for my testing activities. My test systems are vm's and are behind my "production" IPFire system and therefore nothing much gets triggered in the IPS on my vm systems as it has all been filtered out by my main IPFire.
Your approach gives me something to create a condition that should be picked up.
I will be giving it a test to confirm I can get it working.
Thanks very much.
Regards,
Adolf.
>
> Bug reports are great, but it's better when something just works.
>
> Cheers,
> Adam
>
next prev parent reply other threads:[~2025-05-25 9:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-20 21:28 Adam Gibbons
2025-05-25 9:58 ` Adolf Belka [this message]
2025-05-25 10:11 ` Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f88a189f-4866-4e23-b1f9-ed6b7b424092@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox