Suricata Inline IPv4 rules not triggering

jameswebb

Hi,

I have been running Suricata Inline mode on my XG-1541 for quite some time now. I upgraded to the pfSense 2.4 Beta recently and have noticed that all my rules and suricata's rules based around IPv4 aren't working! For some reason it seems to allow all IPv4 traffic through and no alerts are generated. IPv6 is still working fine though.

Here is an example
After adding the following rule to custom.rules:

drop ip [108.74.97.21, 82.132.247.191] any <> $HOME_NET any (msg:"Suspicious Botnet Blocked";)

Expected behaviour:
Trigger an Alert and block the packets from the listed IPs - Regardless of Inline or Legacy mode

Actual behaviour:
Blocks traffic and adds message to Alerts in Legacy mode. In Inline mode nothing happens and traffic is allowed through - no Alerts are generated.

Other observations:
On further inspection it would seem that since the pfSense 2.4.0 update no IPv4 rules are being Alerted in Inline mode at all. Note that the addresses tested are IPv4 and that this observation regarding lack of IPv4 alert triggering may be part or all of the issue. The IPv4 addresses in the above rule are not part of the $HOME_NET they are a completely separate public facing IPv4 address.

Any ideas on how to correct this issue with Inline mode?

James

doktornotor

Please, don't multipost. https://forum.pfsense.org/index.php?topic=125239.0

In general, I'd avoid the badly broken netmap thing altogether.