suricata on wan interface question
-
Hey all,
Up until recently i've had suricata scanning the LAN interface because i never had any services that required me to open and WAN ports (so why bother generating all the useless noise?).
I've got plex server installed on my nas and set up the plex client on the tvs/rokus of my gf, brother, parents, family's homes so they can watch from within their homes.
i enabled the UPNP service in pfsense and all works perfectly.
i download ONLY.. get the media via nzbget, render it, and send it to my nas all from within my humble network at home.here's my question:
since i'm not uploading anything to my nas remotely, and the media stream is outbound ONLY, should i have suricata scanning the WAN interface as well? seems to me that since the data stream is outbound only i wouldn't have to.. but i'm not sure so that's why i ask you experts!Thanks!!
-
@jc1976 Scanning on LAN will also scan outbound traffic. Best practice is to run it on LAN. (and other internal interfaces, if you have more, except VLANs because the Suricata parent interface will see all VLAN traffic).
-
@steveits ok thanks!!
in what situation would i enable suricata on the WAN interface? i guess if i was running a server where i (or anyone) could upload files to.. right?
-
@jc1976 There was a thread in recent weeks. IIRC one scenario was when the router had lots of internal interfaces, so running once on WAN was better than running 10-20 instances.
It runs outside the firewall so on WAN it will end up scanning packets that will be dropped by the firewall. Also it cannot identify the LAN IP since it can only see the NATted WAN IP.