1
23.1 Legacy Series / [SOLVED] Suricata prevents access to OPN itself
« on: April 02, 2023, 01:11:12 pm »
Since the upgrade to 23.1 I noticed that a few minutes after booting up I lose all connectivity to OPN itself. As in, I can't get in the web GUI or even SSH into it, and existing sessions disconnect with "broken pipe" errors. Traffic still properly passes through OPN though, and oddly enough it does still respond to pings. I finally figured out this was due to Suricata:
I think there may be a problem with Suricata opening the same interface multiple times. I checked the latest.log and these are the only lines that appear right before I lose connectivity:
I'm guessing the /R and /T are for receive and transmit, but then what are the 2 lines with ^? I think those being present (either twice, or besides the R/T variants) might cause Suricata to kind of lose track of traffic destined for OPN and it disappears into a black hole.
I'm not entirely sure if this is a problem with Suricata itself, or simply the config OPN generates for it. So I'll try here first. =]
- Reboot OPN simply by power cycling
- Continuously try to SSH into OPN and kill Suricata (while true; do ssh root@opn killall -9 suricata; sleep 3; done)
- When it succeeds, stop the loop and open a regular SSH session
- This session keeps working indefinitely, unlike before
- Go into OPN web GUI and change Suricata to stop listening on the interface I would access OPN through
- Start Suricata again
- SSH keeps working, but other networks are once again unable to access OPN
- Suricata isn't logging an alert about this, so it's not somehow a rule that's blocking it (I even added a pass rule for my specific IP)
- I also made sure sshlockout wasn't triggered (list is still empty)
I think there may be a problem with Suricata opening the same interface multiple times. I checked the latest.log and these are the only lines that appear right before I lose connectivity:
Code: [Select]
[meta sequenceId="1"] [102930] <Notice> -- opened netmap:igb3/R from igb3: 0x82a915000
[meta sequenceId="2"] [102930] <Notice> -- opened netmap:igb3^ from igb3^: 0x82a915300
[meta sequenceId="3"] [102930] <Notice> -- opened netmap:igb3^ from igb3^: 0x8556f4000
[meta sequenceId="4"] [102930] <Notice> -- opened netmap:igb3/T from igb3: 0x8556f4300
[meta sequenceId="5"] [102930] <Notice> -- opened netmap:igb2/R from igb2: 0x8804f4000
[meta sequenceId="6"] [102930] <Notice> -- opened netmap:igb2^ from igb2^: 0x8804f4300
[meta sequenceId="7"] [102930] <Notice> -- opened netmap:igb2^ from igb2^: 0x8ab2f4000
[meta sequenceId="8"] [102930] <Notice> -- opened netmap:igb2/T from igb2: 0x8ab2f4300
I'm guessing the /R and /T are for receive and transmit, but then what are the 2 lines with ^? I think those being present (either twice, or besides the R/T variants) might cause Suricata to kind of lose track of traffic destined for OPN and it disappears into a black hole.
I'm not entirely sure if this is a problem with Suricata itself, or simply the config OPN generates for it. So I'll try here first. =]