From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b4vV55MWBz2ybk for ; Sun, 25 May 2025 09:58:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b4vV21zQnz2xVX for ; Sun, 25 May 2025 09:58:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b4vV148h7z62 for ; Sun, 25 May 2025 09:58:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748167097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Pk4ccbM/RB1nTvXO4lUuUYKNT7Y+oAC4MmC3Weg6IHk=; b=xIhd3C8XT5dhwhXI6X/cZ4TY6Dw8M3CuQPuMlKeVhjiDY+vxKUGAO9IgQlWDfg6dDM3vhB nNz5SX1eDkNWMWDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748167097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Pk4ccbM/RB1nTvXO4lUuUYKNT7Y+oAC4MmC3Weg6IHk=; b=hHuca7yfazwOPHJ8Kir2aGHKaEXpLXbLVDLKaCvwHZLr5rEQG09RsNmp0YlknagBxjDCc3 MFDtWk1ZnavhYUmtnjb/UIrdj9T9MHgGbAcB8y6sA8IwP8UWEYi15bgRgjA0idGPM8D7+U GaYs/t8vQw02dUSi9GIlj6g2ZZA7BNooacFGIcmj4heyESPbNfETo3ZmbBL03g0xmz0bhy BpAfGHfTPH665yfRJ5KrW8Ox0FZtUSe2yQyQsEHVDlsnAT7I4i6nupIsWAYX+u+ZRcw1mI LNUarKhE2JKO6FqX363oyO5v+2HdTz1oB1o+yMCcm/UKbJuVbYMNFOmiMxUvKA== Message-ID: Date: Sun, 25 May 2025 11:58:13 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: CU195 Testing - WireGuard IPS ramblings To: development@lists.ipfire.org References: <6bef4edafe9cc9423a3a702a06ba4561@ipfire.org> Content-Language: en-GB From: Adolf Belka In-Reply-To: <6bef4edafe9cc9423a3a702a06ba4561@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Adam, On 20/05/2025 23:28, Adam Gibbons wrote: > Hi all, > > Recently I’ve been keeping myself busy testing the newly released CU195 testing build, which includes WireGuard support (insert ITS_ABOUT_TIME emoji here). Today I wanted to test if the IPS was actually inspecting and blocking traffic on the newly added interface. > > I thought I’d share my testing approach and findings, in case it’s useful, interesting to anyone else, or for documentation. > > Test Methodology: > - Set up a Fedora VM, connected to IPFire via WireGuard as a Host-To-Net peer (roadwarrior). > - Enabled IPS only on the WireGuard interface (disabled on RED and GREEN etc). > - To check if Suricata was properly inspecting traffic inside the tunnel, I looked for a rule that would be safe and easy to trigger on purpose. > > I settled on this rule: >     GPL MISC source port 53 to <1024 (sid:2100504) >     https://threatintel.proofpoint.com/sid/2100504 > > I picked this because it’s straightforward to match, unlikely to cause noise or false positives, and works well for a basic end-to-end test. > > How I triggered the rule: > From the Fedora VM (192.168.26.5), I used hping3 to send a SYN packet with source port 53 to IPFire’s external IP on port 80: > >     hping3 -S -p 80 -s 53 > > This created exactly the traffic the rule is looking for. > > Result: > The alert appeared in Suricata’s log: > >     Date:   05/20 21:43:21 >     Name:   GPL MISC source port 53 to <1024 >     Priority: 2 >     Type:   Potentially Bad Traffic >     IP info: 192.168.26.5:53 -> :80 >     SID:    2100504 > > This test confirms IPS is inspecting WireGuard tunnel traffic as intended in CU195. That is something I have been looking for, for my testing activities. My test systems are vm's and are behind my "production" IPFire system and therefore nothing much gets triggered in the IPS on my vm systems as it has all been filtered out by my main IPFire. Your approach gives me something to create a condition that should be picked up. I will be giving it a test to confirm I can get it working. Thanks very much. Regards, Adolf. > > Bug reports are great, but it's better when something just works. > > Cheers, > Adam >