Hello,
I've an interrogation about GEOIP and floating rules.
I've installed GEOIP by Maxmind and Opnsense how to.
I blocked all of the world excepted Europe.
I don't understand why on Suricata I've plenty on entry log from IP "normally" blocked on Wan.
So I think about a misconfiguration on my rules, or on other problem.
I've joined my floating rules. If you can see and say if you detect an error.
I've 10 interfaces because of (WAN + LAN + VPN + VLANS).
thanks in advance !
Aurélien
If you run Suricata on WAN it will be applied before any firewall rules.
Indeed with this information, it's more clear.
So other question :
What is the best security process ?
Run suricata on wan (like actually) or to be confident on DROP rules on wan side ?
There is no "best" process. I personally don't believe in IDS and do not use any of them. I run Crowdsec, though.