How to skip/bypass fully ignore subnet.

itNGO

Hello,

maybe someone can explain how and where exactly create config to completely ignore a subnet from all Suricata Inspection.

Some docs state about "Advanced Configuration Pass-Through" to put
"not host 1.2.3.4/24" but I am missing the correct syntax.
Whatever I enter here, the interface does not start anymore.

Thank you

bmeeks

No, using the Advanced Pass-Through is incorrect advice. In order to use the syntax suggesed you would also have to create a custom BPF configuration as that is not part of the normal package setup on pfSense.

The most expedient way to do this is to go to the RULES tab for the interface and select Custom Rules in the rules category drop-down. Then enter a custom rule like this one and save it.

pass ip 1.2.3.0/24 any <> any any (msg:"pass all traffic from/to 1.2.3.0/24"; sid:2000000;)

This rule will let all traffic (all ports and protocols) originating from, or heading to, the 1.2.3.0/24 subnet pass uninspected. It is key to note here that this network will bypass ALL Suricata inspection and alerting.

Make sure you choose a SID that is not a duplicate of any other. In my example I choose 2 million (2000000), but whatever you choose, just make sure every rule SID (signature ID) is unique.

itNGO

Hello bmeeks,

thank you for the explanation.
I guess this will do the job.

But one question. This would mean the the "traffic" will pass through the IPS-Engine but allowed "always".

Is there a way to exclude the traffic at all for some subnet. Sophos UTM for example can do this. Its just to get the maximum throughput for a specific "subnet" which is already monitored by IPS elsewhere.

bmeeks

Not possible to have specific subnets bypass the IPS engine on pfSense due to the way the plumbing works. But when using IDS-only mode, or Legacy Blocking Mode, it really does not matter anyway as Suricata in those modes uses libpcap to obtain copies of packets as they traverse an interface. So the Suricata engine is not in the direct line of packet processing.

Another frequently misunderstood fact about Suricata (especially on pfSense platforms) is where the actual engine sits in the packet path. It sits directly behind the NIC and in front of the firewall engine. So Suricata will ALWAYS see packets before the firewall rules are applied. In Legacy Blocking Mode or IDS-only mode, Suricata sees packets about the same time as the firewall (due to the packet copying), but in either case (Inline IPS Mode, IDS-only mode, or Legacy Blocking Mode), Suricata sees traffic before any firewall rules in place on the interface are evaluated.

itNGO

@bmeeks Thank you..... Perfect working now....

bmeeks

@itNGO said in How to skip/bypass fully ignore subnet.:

@bmeeks Thank you..... Perfect working now....

One other point I should have mentioned. PASS rules are one of the very first things looked at, so when traffic matches a PASS rule the Suricata inspection pipleline is very quickly exited. PASS rules are checked for matches before any other rule, so traffic matching a PASS rule quickly exits the inspection engine, and thus there is minimal performance impact. It's not zero impact, but it is minimal.