OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: sweetfoxxy on January 25, 2021, 01:42:50 pm

Title: Suricata and pf
Post by: sweetfoxxy on January 25, 2021, 01:42:50 pm

Hello

Please, tell me, when an OPNsense firewall receives a packet on the interface, what engine will process it first?
Will it be suricata or pf?
And how does the firewall process the packet if suricata, sensei and pf are running?

Please, share your knowledge!

BR

Title: Re: Suricata and pf
Post by: franco on January 25, 2021, 01:57:38 pm

IPS mode Suricata(netmap) will get to see the packet before pf and can discard it.


Cheers,
Franco

Title: Re: Suricata and pf
Post by: hushcoden on January 26, 2021, 03:20:19 pm

Quote from: franco on January 25, 2021, 01:57:38 pm

IPS mode Suricata(netmap) will get to see the packet before pf and can discard it.

Sorry if it's a dumb question, but is that true regardless if Suricata is enabled on either LAN or WAN interface ?

Title: Re: Suricata and pf
Post by: franco on January 26, 2021, 03:32:15 pm

It's true that regardless of WAN or LAN the incoming packet will be seen by Suricata first. Outgoing packets will need to pass through the network stack and pf first to reach Netmap to finally find its way to Suricata.

This is done for required symmetry with the address translations and not a security issue so please don't ask that next. ;)


Cheers,
Franco

Title: Re: Suricata and pf
Post by: sweetfoxxy on January 31, 2021, 02:14:38 pm

Thank you for your answers

As I know, both Sensei and Suricata use netmap. So does suricata or sensei process packet first?