Reviewed-by: Peter Müller peter.mueller@ipfire.org

This should avoid confusion when we add more marks

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

src/initscripts/system/suricata | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index e327225d7..111bd9df3 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn ) enabled_ips_zones=()

# Mark and Mask options. -MARK="0x80000000" -MASK="0x80000000" +REPEAT_MARK="0x80000000" +REPEAT_MASK="0x80000000"

# PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -137,19 +137,19 @@ function generate_fw_rules { # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do # Create rules queue input and output related traffic and pass it to the IPS.

• 	iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
  

• 	iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
  

• 	iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
  

• 	iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
  
  # Create rules which are required to handle forwarded traffic.
  for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
  

• 		iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
  

• 		iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
  done
  

  done

  # Clear repeat bit, so that it does not confuse IPsec or QoS

• iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
  

• iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
  

• iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
  

• iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
  

• iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
  

• iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
  

  fi

}

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

config/suricata/suricata.yaml   | 4 ++--  src/initscripts/system/suricata | 2 ++  2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 1ce013dc7..f02b93d76 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -348,8 +348,8 @@ nfq:     mode: repeat     repeat-mark: 2147483648     repeat-mask: 2147483648 -#   bypass-mark: 1 -#   bypass-mask: 1 +   bypass-mark: 1073741824 +   bypass-mask: 1073741824  #  route-queue: 2  #  batchcount: 20     fail-open: yes diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 111bd9df3..981471c7c 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -37,6 +37,8 @@ enabled_ips_zones=()  # Mark and Mask options.  REPEAT_MARK="0x80000000"  REPEAT_MASK="0x80000000" +BYPASS_MARK="0x40000000" +BYPASS_MASK="0x40000000"    # PID file of suricata.  PID_FILE="/var/run/suricata.pid"

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

If a stream cannot be identified or if suricata has decided that it cannot do anything useful any more (e.g. TLS sessions after the handshake), we will allow suricata to bypass any following packets in that flow

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

config/suricata/suricata.yaml | 19 ++++++++++++++-----  1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index f02b93d76..6f37671c8 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -389,11 +389,19 @@ app-layer:        # will be disabled by default, but enabled if rules require it.        ja3-fingerprints: auto   -      # Completely stop processing TLS/SSL session after the handshake -      # completed. If bypass is enabled this will also trigger flow -      # bypass. If disabled (the default), TLS/SSL session is still -      # tracked for Heartbleed and other anomalies. -      #no-reassemble: yes +      # What to do when the encrypted communications start: +      # - default: keep tracking TLS session, check for protocol anomalies, +      #            inspect tls_* keywords. Disables inspection of unmodified +      #            'content' signatures. +      # - bypass:  stop processing this flow as much as possible. No further +      #            TLS parsing and inspection. Offload flow bypass to kernel +      #            or hardware if possible. +      # - full:    keep tracking and inspection as normal. Unmodified content +      #            keyword signatures are inspected as well. +      # +      # For best performance, select 'bypass'. +      # +      encryption-handling: bypass      dcerpc:        enabled: yes      ftp: @@ -810,6 +818,7 @@ stream:    prealloc-sessions: 4096    checksum-validation: yes      # reject wrong csums    inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically +  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.    reassembly:      memcap: 256mb      depth: 1mb                  # reassemble 1mb into a stream

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

This allows us to add rules in a consistent order like they are in the script.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

src/initscripts/system/suricata | 6 +++---  1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 981471c7c..5ccea9391 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -139,12 +139,12 @@ function generate_fw_rules {                 # Loop through the array and create firewall rules.                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do                         # Create rules queue input and output related traffic and pass it to the IPS. -                       iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS -                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS +                       iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS +                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS                           # Create rules which are required to handle forwarded traffic.                         for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do -                               iptables -w -I "$IPS_FORWARD_CHAIN" - i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS +                               iptables -w -A "$IPS_FORWARD_CHAIN" - i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS                         done                 done

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

src/initscripts/system/suricata | 6 ++++++  1 file changed, 6 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ccea9391..2577621b8 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -134,6 +134,12 @@ function generate_fw_rules {         # Flush the firewall chains.         flush_fw_chain   +       # Skip anything that has the bypass bit set +       local chain +       for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do +               iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN +       done

# Check if the array of enabled_ips_zones contains any elements.         if [[ ${enabled_ips_zones[@]} ]]; then                 # Loop through the array and create firewall rules.

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

src/initscripts/system/suricata | 12 ++++++++----  1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 2577621b8..72d01b91d 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -154,10 +154,14 @@ function generate_fw_rules {                         done                 done   -               # Clear repeat bit, so that it does not confuse IPsec or QoS -               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set- xmark "0x0/${REPEAT_MASK}" -               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set- xmark "0x0/${REPEAT_MASK}" -               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set- xmark "0x0/${REPEAT_MASK}" +               # Add common rules at the end of the chain +               for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do +                       # Clear repeat bit +                       iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"

+                       # Store bypass bit in CONNMARK +                       iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark +               done         fi  }

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

NFQUEUE does not let the packet continue where it was processed, but inserts it back into iptables at the start. That is why we need an extra IPSBYPASS chain which has the following tasks:

• Make the BYPASS bit permanent for the entire connection
• Clear the REPEAT bit

The latter is more of cosmetic nature so that we can identify packets that have come from suricata again and those which have bypassed the IPS straight away.

The IPS_* chain will now only be sent traffic to, when none of the two relevant bits has been set. Otherwise the packet has already been processed by suricata in the first pass or suricata has decided to bypass the connection.

This massively reduces load on the IPS which allows many common connections (TLS connections with downloads) to bypass the IPS bringing us back to line speed.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

src/initscripts/system/firewall | 23 ++++++++++++++++++++---  src/initscripts/system/suricata | 27 +++------------------------  2 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ce428393d..530e8f1d6 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -17,6 +17,11 @@ NAT_MASK="0x0f000000"  IPSEC_MARK="0x00800000"  IPSEC_MASK="${IPSEC_MARK}"   +IPS_REPEAT_MARK="0x80000000" +IPS_REPEAT_MASK="0x80000000" +IPS_BYPASS_MARK="0x40000000" +IPS_BYPASS_MASK="0x40000000"

function iptables() {         /sbin/iptables --wait "$@"  } @@ -41,6 +46,17 @@ iptables_init() {         modprobe nf_log_ipv4         sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4   +       # IPS Bypass Chain which stores the BYPASS bit in connection tracking +       iptables -N IPSBYPASS +       iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))" +       iptables -A IPSBYPASS -j CONNMARK --save-mark

+       # Jump into bypass chain when the BYPASS bit is set +       for chain in INPUT FORWARD OUTPUT; do +               iptables -A "${chain}" -m mark \ +                       --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS +       done

# Empty LOG_DROP and LOG_REJECT chains         iptables -N LOG_DROP         iptables -A LOG_DROP   -m limit --limit 10/second -j LOG @@ -147,9 +163,10 @@ iptables_init() {         iptables -N IPS_INPUT         iptables -N IPS_FORWARD         iptables -N IPS_OUTPUT -       iptables -A INPUT -j IPS_INPUT -       iptables -A FORWARD -j IPS_FORWARD -       iptables -A OUTPUT -j IPS_OUTPUT

+       for chain in INPUT FORWARD OUTPUT; do +               iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" +       done           # OpenVPN transfer network translation         iptables -t nat -N OVPNNAT diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 72d01b91d..13fcc7f34 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -34,12 +34,6 @@ network_zones=( red green blue orange ovpn )  # Array to store the network zones weather the IPS is enabled for.  enabled_ips_zones=()   -# Mark and Mask options. -REPEAT_MARK="0x80000000" -REPEAT_MASK="0x80000000" -BYPASS_MARK="0x40000000" -BYPASS_MASK="0x40000000"

# PID file of suricata.  PID_FILE="/var/run/suricata.pid"   @@ -134,34 +128,19 @@ function generate_fw_rules {         # Flush the firewall chains.         flush_fw_chain   -       # Skip anything that has the bypass bit set -       local chain -       for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do -               iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN -       done

# Check if the array of enabled_ips_zones contains any elements.         if [[ ${enabled_ips_zones[@]} ]]; then                 # Loop through the array and create firewall rules.                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do                         # Create rules queue input and output related traffic and pass it to the IPS. -                       iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS -                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS +                       iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS +                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS                           # Create rules which are required to handle forwarded traffic.                         for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do -                               iptables -w -A "$IPS_FORWARD_CHAIN" - i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS +                               iptables -w -A "$IPS_FORWARD_CHAIN" - i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS                         done                 done

-               # Add common rules at the end of the chain -               for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do -                       # Clear repeat bit -                       iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"

-                       # Store bypass bit in CONNMARK -                       iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark -               done         fi  }

Tested-by: Stefan Schantl stefan.schantl@ipfire.org

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

src/initscripts/system/firewall | 3 +--  1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 530e8f1d6..5fc63683c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -48,8 +48,7 @@ iptables_init() {           # IPS Bypass Chain which stores the BYPASS bit in connection tracking         iptables -N IPSBYPASS -       iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))" -       iptables -A IPSBYPASS -j CONNMARK --save-mark +       iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"           # Jump into bypass chain when the BYPASS bit is set         for chain in INPUT FORWARD OUTPUT; do