Hello Zenarmor team,
I would like to know where to add your product into a packet flow diagram (non official, community), that shows OPNsense packet handling:
https://forum.opnsense.org/index.php?topic=36326.0
Thank you :)
Hi @Monviech,
That's a very helpful initiative, thanks.
Zenarmor (or Suricata in IPS mode) will be just between Ingress Interface and Scrub; and for the Egress path, it'll be between Traffic Shaping and Egress Interface.
Hope this inforamtion is helpful.
Hello @mb,
thank you for your reply. Just to make sure I have understood you correctly, here's the updated Diagram. Does this look right?
Quote
Ingress Traffic:
1. Ingress Interface
|
2. Next Generation Firewall (Ingress)
|----> 2.1 Suricata (IPS mode) (depends on selected Interfaces)
| |----> If Block Rule Matches, Drop Packet
| |----> Else, Continue
|----> 2.2 Zenarmor (depends on selected Interfaces)
| |----> If Block Rule Matches, Drop Packet
| |----> Else, Continue
|
3. Scrub (normalize, reassemble fragments, etc.)
|
4. 1:1 NAT (Bi-directional NAT)
|----> 4.1 Match Rules (Static NAT - BINAT - 1:1 NAT)
|
5. Destination NAT (Port Forward or Redirection)
|----> 5.1 Match Rules (DNAT - Port Forward)
|
6. Source NAT (Outbound NAT)
|----> 6.1 Match Rules (SNAT - Outbound)
|
7. Is Packet First in Flow?
|----> Yes:
| |----> 7.1 Filter Rules
| | |----> 7.1.1 Block/Pass (Quick) in order of rules until
| | first match, then terminates further
| | evaluation
| | |----> 7.1.2 Block/Pass (without Quick) until best
| | match, if no prior quick rule matched
| |----> 7.2 Create State Entry (if rule has state tracking)
|----> No:
| |----> 7.3 Use Existing State Entry
|
8. Routing Decision (determine egress interface)
|
9. Traffic Shaping
|
10. Next Generation Firewall (Egress)
|----> 10.1 Suricata (IPS mode) (depends on selected Interfaces)
| |----> If Block Rule Matches, Drop Packet
| |----> Else, Continue
|----> 10.2 Zenarmor (depends on selected Interfaces)
| |----> If Block Rule Matches, Drop Packet
| |----> Else, Continue
|
11. Egress Interface