Understanding Suricata Listen / Net (Home / External)

deleted

Hi,

I would like to understand the difference between the Passlist and the Home Net / External Net.

Or the settings of the pass list itself.

In the following Topic i was able to read that the Home Net is the opposite of the External Net, so to speak, if you set the settings correctly:
@bmeeks said in Suricata Home/External Net - HOW do you make the External list???:

You are correct, the new modifications for adding multiple IP addresses or networks to a Pass List do not support negation (a leading "!" character) because the code uses built-in IP address validators that do not expect nor support negation.

I will have to consider how best to handle that in the future.

For now this workaround should help. The general idea with $EXTERNAL_NET is that it should be the negative of $HOME_NET. So the default configuration does exactly that. It takes every address from $HOME_NET and puts an exclamation point ("!") in front of the address to indicate negation and assigns those to $EXTERNAL_NET. So in that vein, you can customize $HOME_NET to contain your list of protected addresses, and then leave $EXTERNAL_NET set to "default" and it will automatically become the negative of $HOME_NET.

It would be rare to have an $EXTERNAL_NET that is not simply a negation of $HOME_NET. All of the commercially available rules are sort of depending on that setup in order to fire correctly.

So I created a pass list, just checked Local Networks and defined it as Home Net.
External Net and the IP Pass List are still standard.

Furthermore, it is clear that the IP Pass List never blocks an IP contained in it.

However, I still don't understand the whole thing.
What is the difference between Home and Passlist?

I can see that a xxx.xxx.xxx.1 is blocked.
So there are scenarios in which it is blocked.

Where can I find out more about this? The link to the docs no longer works.
Furthermore, the selectable check fields. These all refer to local services, as far as I can see, right?

SteveITS

@deleted Home is “my addresses” while the pass list might contain external IPs which you want to always pass (not block).

bmeeks

@deleted said in Understanding Suricata Listen / Net (Home / External):

What is the difference between Home and Passlist?

HOME_NET is a variable that should contain only the internal networks being protected by the IDS/IPS. EXTERNAL_NET is a variable that generally contains all networks not part of HOME_NET. The EXTERNAL_NET variable is often initialized as "!$HOME_NET" which quite literally means "not HOME_NET".

A Passlist is a collection of IP addresses (and can include subnets) that should never be blocked by the IPS. Passlists are a custom feature of Suricata available only on pfSense. The Suricata package on pfSense is a customized version of what exists upstream. Legacy Mode Blocking is a custom pfSense-only feature not available in the Suriciata distro from upstream. Passlists are only applicable when using the Legacy Blocking Mode of Suricata.

It seems from your questions that you lack a clear understanding of what the HOME_NET and EXTERNAL_NET variables mean to Suricata and how important their correct initialization is to proper IDS/IPS operation. On pfSense, you should generally NEVER change the HOME_NET or EXTERNAL_NET variables from their default values. The defaults are designed to make the IDS/IPS work properly. If you have incorrect values in either HOME_NET or EXTERNAL_NET, you can render the IDS/IPS completely impotent by causing the rules which utilize HOME_NET or EXTERNAL_NET to not trigger.

Here are a few links that describe the HOME_NET and EXTERNAL_NET variables:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup

https://forum.suricata.io/t/home-net-and-multiple-interfaces-plus-deployment-best-practices/374

https://coralogix.com/blog/writing-effective-suricata-rules-for-the-sta/

deleted

Hi @bmeeks,

Thanks for all the info and links.

That helps me a lot.

One more question about the Passlist;
If I create one and set all the hooks, then I can build on it and neither put Suricata out of action nor lock myself out, right?

bmeeks

@deleted said in Understanding Suricata Listen / Net (Home / External):

If I create one and set all the hooks, then I can build on it and neither put Suricata out of action nor lock myself out, right?

Yes, you can add IP addresses and/or networks (subnets) to a Passlist. Just be sure when creating one to leave the checkboxes "checked" for the normal defaults which includes any configured DNS servers, the default gateway, the WAN IP, and the entire subnet for any locally-connected interfaces (meaning things like your LAN and any other locally defined interfaces on the firewall excluding the WAN; the WAN is handled differently as only the specific public IP is in the passlist and not the entire WAN netblock).

Any time you make a change to an assigned Passlist you will need to restart Suricata on the interface after saving the change. The Passlist file is read only once during startup of Suricata and the contents of the list held in RAM after that (until the next restart).

deleted

I was looking for this info @bmeeks,

Now I am sure that it is only an internal connection and that not everything is disabled.
Thank you very much!

Have a nice day and thanks for your work.