block all in on wan and suricata



  • Hello,

    If I have a block all in on wan rule, would having suricata installed and running on my wan interface have any added security benefits ?



  • It depends. Suricata would still be able to help police traffic going over established states. However, it is better to run an IDS/IPS such as Suricata or Snort on the firewall's internal interfaces (such as the LAN) rather than the WAN. This is especially true when NAT is being used. If you run the IDS/IPS on the WAN, all of your local addresses such as those on your LAN will show up in the alerts as having the firewall's public WAN IP address. That's not very helpful when trying to figure out which internal host is compromised or is the target of an external attack. Running the IDS/IPS on the LAN means the displayed addresses in alerts are the actual native local IP addresses (pre-NAT).