Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG and Suricata (IPS) interaction

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • newyork10023N
      newyork10023
      last edited by

      Which takes action first?

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @newyork10023 said in pfBlockerNG and Suricata (IPS) interaction:

        Which takes action first?

        Snort and Suricata (non-inline mode) will block based on a copy of the packets. So pfBlockerNG and the IDS may show duplicate events if they are configured to block similar things.

        Suricata inline mode will block before the pfSense firewall rules take effect.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • T
          timboau 0
          last edited by

          Is there a way to have pfblocker filter first?

          I'm getting a ton of alerts in Suricata that are not relevant as they would be blocked by pfblocker and its a heap of extra noise I dont want to look at?

          That being said I still want to monitor open connections that have been instigated from the LAN to countries i'm normally blocking via pfsense.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire
            last edited by

            Are you running Suricata on the WAN or LAN? Using the LAN will avoid alerting on any traffic that would normally not be passed on the WAN port.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            T 1 Reply Last reply Reply Quote 0
            • T
              timboau 0 @SteveITS
              last edited by

              @teamits Hi I'm running it on both.

              • My understanding (I could be wrong!)

              Running on the WAN will monitor for attempted intrusion of any kind (not filtered by pfblocker though) and will also monitor for any 'allowed' traffic thats potentially doing bad things.

              Running on the LAN would indicate any bad activity originating from within the network.

              I'm pretty happy with its reporting/alerting so far other than I'm getting so much noise from countries that I've blocked via pfblockerNG that in real terms wouldn't be posing a risk.

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire
                last edited by

                Suricata on WAN will scan packets before the firewall sees them. On LAN it will see all packets passing by so essentially monitor both directions.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • T
                  timboau 0
                  last edited by

                  OK, I'm thinking that makes sense - so unless there was an attack against the actual firewall - any traffic that did make it through malicious or not would be 'seen' traversing through to the LAN.

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @timboau 0
                    last edited by bmeeks

                    @timboau-0 said in pfBlockerNG and Suricata (IPS) interaction:

                    OK, I'm thinking that makes sense - so unless there was an attack against the actual firewall - any traffic that did make it through malicious or not would be 'seen' traversing through to the LAN.

                    Yes, this is correct. The LAN is the best place to put an IDS/IPS 99% of the time. A major reason is so, when using NAT, the IP addresses you see in alerts will be the actual LAN host addresses instead of the NAT IP. When you put the IDS/IPS on the WAN, all internal host traffic shows up under the WAN public IP due to NAT. So finding what internal host generated an alert is very difficult.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.