Messages

I got this working after several failed attempts over the years (mostly with igmp proxy). But with UDP Broadcast realay it was pretty simple.

For my config there is an assumption or two

1. Devices on my "trusted" vlan can speak to the IOT vlan (but not the reverse by default) though the primary allow any any rule. The only outbound blocks it to a guest vlan.

https://imgur.com/DFy4cs1

2. Devices on the IOT vlan have a rule right above this specifically restricting access by default to all other vlans (with a few specific exceptions for things like DNS).

So for the setup.

First the UDP relay. I left the source addresses blank. Theres no NAT here. Which is really the main reason i could maybe see to need to spoof the source interface

https://imgur.com/rguquhN

THen when looking at the live view of the firewall on the IOT interface i noticed the drops to the specific devices...like my iphone.

Example: https://imgur.com/Rcpnyf4

So i whipped up a rule on that interface (or 2)

https://imgur.com/jeBAsBz

Airplay works. The roku app works as well. Private listening kinda always worked but i had to manually connect to the roku by typing the IP. Now its discoverable which is quite nice.

So if you run

Code Select Expand

cat /etc/group | grep scott

What is the output

same for

Code Select Expand

cat /etc/group | grep testuser


Also is PasswordAuthentication set to yes or no in /usr/local/etc/ssh/sshd_config?

Is the shell listed next to the user account name in /etc/passwd
IE:

Code Select Expand

cat /etc/passwd | grep username

username:*:uid:gid::/home/username:/bin/sh

And similar in /etc/group

Code Select Expand

cat /etc/group | grep username

groupname:*:gid:username1,username2


I just changed my user to use /bin/csh over /bin/sh. It still works. FWIW i am on 21.1.4 OpenSSL as of today. 21.1.3_3 previously. Orignally installed/upgrade from 20.7

By default, with no policy, they should just alert.

My setup is fairly simple.

Setup a single policy.  ONLY set the following

Enabled: Checked
Priority: 0
Rulesets: Select any rulesets you want to drop
Action: Alert,Drop
New Action: Drop
Descriptions: whatever you want.


Rules section dont touch. Just leave it all defaults.

Save it/apply and it should reload suricata.



Note: for me, the best configuration in settings is also simple.

Enabled: checked
IPS mode: Checked
Promiscuous mode: Checked (Note: Im running VLANS)
Syslog options: unchecked..dont need em
Pattern Matcher: Your call, Aho and Hyperscan have worked about the same for me
Interfaces: LAN ONLY

(note the help section: Select interface(s) to use. When enabling IPS, only use physical interfaces here (no vlans etc).)

Tick Advanced Mode: Home Networks: Add in my VLAN CIDR's i want to monitor

Defaults the rest of the way.


Selecting multiple interfaces was an issue for me with no benefit..

1. It spun up multiple threads inspecting the same traffic multiple times since the interface is already promiscuoud, so it increased load with no real help, if anything i saw multiple alerts.
2. Home net defines what you are alerting on. So even with VLAN's i get the same hits with promiscuous turned on.

Finally. I see no point in monitoring WAN. I dont use Sensei, so promisicous mode isnt a contention point and why inspect traffic before it hits the firewall. I really only want to protect against stuff that gets through or is egressing.

This was a change from how I adminstered Snort, so i felt it was worth noting.

That is normal. Should not affect anything.

Just make sure the account in question that you setup is correct.

To recap

Create a user account. Create a group account (ie: sshaccess)

Edit user account to have a shell (personally i just use /bin/sh). Add user to group in same page. Add the authorized key if you have one.

Go to System>Settings>Administration>Secure Shell

set the access to wheel,sshaccess

If you arent using key authentication (you should). Check the box to allow password logins. Save.

Did you set a login group in System>Settings>Administration>Secure Shell.

Create a group, add the user to the group and allow that and wheel to login.

Alternatively you can use the admins group, and just set Wheel,Admins

Cant speak to the atom directly. But i have a Celeron J1900 which is...similar if not slightly more performant.

http://cpuboss.com/cpus/Intel-Celeron-J1900-vs-Intel-Atom-C2558

My network can run gigabit non-routed without issue. aka switches arent an issue.

Pure routing mine does ~500-550 Mbits/s on standard iperf test (theres other streams routing while i run this test...maybe 15-30 Mbps). Both with and without -d (dual)

note: sorry for the external link, i dont know how to attach images inline here.

https://imgur.com/a/LxEVhhz

Throw Suricata in the mix and I'm closer to 130 inter-vlan as it inspects the traffic both ingress and egress.

https://imgur.com/a/XgS6ZIm

Though i can push my ISP tier (240 Mbps) across the WAN (where Suricata is only inspecting the traffic once)

Ultimately WAN is all I care about. Anything I want faster than 130 Mbps I'll stick on my main LAN.

The Easiest I've found for basic policy layout is:
Download - Enable list you want
Policy - Policy 0 - Select lists you like to drop with.  Action:  Alert/Drop (both are selected) , New Action - drop
Policy - Policy 1 - No selected lists (all) - Action alert , New action - Default
Back to download rules - select all of them - download and apply
Settings - Apply

I actually do one easier.


Download - Enable list you want
Policy - Policy 0 - Select lists you like to drop with.  Action:  Alert , New Action - drop
Back to download rules - select all of them - download and apply (note: with snort rules, i had to run this twice the first time....possibly a timeout on the initial fetch)
Settings - Apply

The defaults seem to be set to "alert". So you shouldn't need a policy set for this. I have noticed multiple policies can have a direct impact on performance (though i have been onboarding and tweaking settings a ton and it may have been some of the other settings. I need to test policy layers specifically.)


And as I add new rulesets (assuming they haven't been previously selected in that policy) they will default to alert. When im ready to move them to drop i just edit the policy and select the rulesets/lists and hit apply.

You can generally verify in the rules tab using filters

action/alert and status/enabled

or

action/drop and status/enabled