Suricata drop all outgoing traffic

padpn

Hello!

After enabling suricata in Inline mode it drop all outgoing traffic on interface.

I'm runnung pfSense 2.3.3-RELEASE-p1 and suricata 3.1.2_2
My ethernet adapter is intel i340

Digital_ADHD

@padpn:

Hello!

After enabling suricata in Inline mode it drop all outgoing traffic on interface.

I'm runnung pfSense 2.3.3-RELEASE-p1 and suricata 3.1.2_2
My ethernet adapter is intel i340

In your block list do you see LAN or WAN addresses?

You could go to https://routername_or_ipaddress/suricata/suricata_alerts.php and see which rule is getting triggered.

I am very new so when I set this up I a rule configured that was alerting on UDP 53 invalid ipv4 checksum, and was blocking all of the Root DNS servers, basically blocking and internet traffic that was doing a dns query first.

This fell under the 2200000-2200999 Suricata Decoder Events.

I set the following in my supression list.

#SURICATA UDPv4 invalid checksum
suppress gen_id 1, sig_id 2200075

Anyway the important thing to start with is see what is being triggered via the alert tab, or Firewall logs.

Maybe, lol, i hope this helps.

padpn

I know that predefined rules generate a lot of alerts, so I disabled them all and created just one custom rule to filter flood by ttl.

After that i tried to create "pass" rule for outgoing traffic, but there is no matter.

I think it is some kind of bug with suricata or netmap (((

I have plan to go back to Linux+iptables. It is very easy with iptables to filter traffic by content.

doktornotor

Ditch the inline mode, it's buggy like hell, plus does not exactly make much difference when it comes to security. Just way more PITA that it's worth ATM.

padpn

I just tested it on VPS(xenserver 6.5 sp1) and there is no such bug with outgoing traffic.
All my drop rules work grate.

I will try to reinstall Pfsense on my barelmetal server and try suricata again.

bmeeks

@padpn:

I just tested it on VPS(xenserver 6.5 sp1) and there is no such bug with outgoing traffic.
All my drop rules work grate.

I will try to reinstall Pfsense on my barelmetal server and try suricata again.

It has been stated many times here.  Inline mode for Suricata depends on Netmap.  Netmap in turn must be supported by the underlying NIC driver.  Only a very few NICs support Netmap at all, and even fewer of those support it perfectly (as in work without any issues).  The Dok is correct that inline mode is still suffering growing pains.  If you have one of the "perfectly supported" NICs and don't use traffic shapers and don't use VLANs, then inline IPS can work great.  There are issues with traffic shapers and VLANs at the moment, though.  I believe the pfSense core team has plans to address those in the near future.  So if you have issues with inline mode, just switch over to Legacy Mode until all the inline problems get sorted out.

Bill

JSONSec

I have the same issue.

I hope pfsense 2.4 and therefore the move to FreeBSD 11 will improve Netmap support considerably.

pfBasic

I'm using 2.4, it's great and very stable but no different than 2.3.x as far as this issue goes (in practice at least). Tried it with PRO/1000 & i340, no traffic shaper or VLAN. Still doesn't work yet. Just give it time.

As dok stated, security wise about the only difference is that legacy will allow a few packets before it blocks the IP and kills the state.