Bypass filtering of a LAN device
-
I have suricata running on LAN & WAN interfaces and the outbound activity of one lan device keeps getting alerted as information leak for SSH... but I want to allow the traffic.
I have created a LAN firewall rule to allow everything from that IP To any destination but suricata continues to filter/drop the connections.
How might I easily allow all outbound traffic from this LAN IP to not be filtered?
-
@inline6 Firewall rules and Suricata are unrelated.
There are two ways:
-
On the Alerts tab click one of the plus signs for that alert to suppress the IP for that rule, or suppress the rule or disable the rule for all devices.
-
In Suricata, create a Pass List and add your IP (keep all the Auto boxes checked). In the interface, assign the pass list. Restart Suricata on the interface.
Likely there is no need to run it on both WAN and LAN? I suggest LAN because on WAN it will scan, flag and block traffic that would be blocked by the firewall anyway. And on LAN it shows LAN IPs whereas on WAN that will show the public WAN IP.
-
-
@steveits thank you for that, I was able to add surpress rules on LAN for the internal IP... but because it is also running on WAN I had to add supress rules for the destination addresses there as well. Which is not ideal, are you saying I should turn it off on the WAN interface entirely?
-
@inline6 said in Bypass filtering of a LAN device:
I should turn it off on the WAN interface entirely
We only set it up on LAN for our clients. You can just stop it for a while, if you want. Otherwise you'll scan every packet twice.
-
@steveits said in Bypass filtering of a LAN device:
@inline6 said in Bypass filtering of a LAN device:
I should turn it off on the WAN interface entirely
We only set it up on LAN for our clients. You can just stop it for a while, if you want. Otherwise you'll scan every packet twice.
That is the route I will go, thank you again.