• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Consider all network as External Net even other local network

IDS/IPS
2
5
708
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    Le_Bleu
    last edited by Mar 17, 2020, 5:40 PM

    Hi,
    On my pfSense I have 1 WAN and 4 LANS, I configure Suricata on 4 LAN interfaces.
    By default, External Net list exclude local LAN addresses. I would like to consider all network even other local network as external net so I created an empty list and assigned it to External Net in Suricata. Is it the best way to do it ?
    Example : LAN1 is for server, LAN2 is for laptop, I want to consider LAN2 as external network to be sure to apply maximum rules, like if traffic come from WAN.
    Best Regards
    Fabrice

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by bmeeks Mar 17, 2020, 9:22 PM Mar 17, 2020, 9:21 PM

      No, to be honest that is not the best solution. You should basically never monkey with the default definitions of EXTERNAL_NET and HOME_NET. If you do, you had better fully understand why you need to do that as you likely invalidate a large majority of the rules in the standard Snort and Emerging Threats collections when changing those two variables. Those rules depend on EXTERNAL_NET and HOME_NET being properly defined.

      Why do you think you need to change the EXTERNAL_NET definition?

      1 Reply Last reply Reply Quote 0
      • L
        Le_Bleu
        last edited by Mar 17, 2020, 9:42 PM

        I will try to explain my thought with HTTP example :
        WAN (443 TLS request)->DMZ (80 request)->LAN1 (servers)
        I setup a DMZ with servers exposed to internet (I'm hosting services, like web server), on this interface rules applies well because request comme from Internet (External net). Then request is forward to LAN1 on port 80 so suricata can inspect request even if it was HTTPS at DMZ interface side. Problem is currently DMZ is considered as Home net so suricata rules on LAN1 interfaces is not apply correctly.
        I would like to consider DMZ as External net on LAN1 interface suricata.

        Since my first message, I changed configuration of Home net an External net. I created a "passlist" with WAN IP and an alias with my LAN1 network. I applaied this passlist to Home net of suricata interface and set External net as default.
        Now it seems better to me, Home net contain onlt LAN1 adresses and not the other LAN adresses, and External net exclude only LAN1 adresses.

        1 Reply Last reply Reply Quote 0
        • B
          bmeeks
          last edited by Mar 18, 2020, 1:01 AM

          In that case you will need to use customized Pass Lists as you stated. I will look into adding the HOME_NET and EXTERNAL_NET variables to the list on the VARIABLES tab so they can more easily be customized by the user without resorting to customized Pass Lists.

          1 Reply Last reply Reply Quote 1
          • L
            Le_Bleu
            last edited by Mar 25, 2020, 9:38 PM

            Hi,
            I post this information on this thread because we talk about pass list improvement.
            When I check "VPN Addresses" to create a custom HOME_NET list, IPv4 network is OK but IPv6 network of my OpenVPN is not added.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.