Packet Flow Diagram

[Monviech (Cedrik)]

Attention:
This is a community effort. This is not an official packet flow diagram. Please leave a comment if something is wrong.

Ingress Traffic:
1. Ingress Interface
   |
2. Next Generation Firewall (Ingress)
   |----> 2.1 Suricata (IPS mode) (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |----> 2.2 Zenarmor (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |
3. Scrub (normalize, reassemble fragments, etc.) ~PF~
   |
4. 1:1 NAT (Bi-directional NAT) ~PF~
   |----> 4.1 Match Rules (Static NAT - BINAT - 1:1 NAT)
   |
5. Destination NAT (Port Forward or Redirection) ~PF~
   |----> 5.1 Match Rules (DNAT - Port Forward)
   |
6. Source NAT (Outbound NAT) ~PF~
   |----> 6.1 Match Rules (SNAT - Outbound)
   |
7. Is Packet First in Flow? ~PF~
   |----> Yes:
   |      |----> 7.1 Filter Rules
   |      |       |----> 7.1.1 Block/Pass (Quick) in order of rules until
   |      |                          first match, then terminates further
   |      |                          evaluation
   |      |       |----> 7.1.2 Block/Pass (without Quick) until best
   |      |                          match, if no prior quick rule matched
   |      |----> 7.2 Create State Entry (if rule has state tracking)
   |----> No:
   |      |----> 7.3 Use Existing State Entry
   |
8. Routing Decision (determine egress interface)
   |
9. Traffic Shaping ~IPFW with dummynet~
   |
10. Next Generation Firewall (Egress)
   |----> 10.1 Suricata (IPS mode) (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |----> 10.2 Zenarmor (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |
11. Egress Interface

- Added Block and Pass filter rule differentiation with "Quick" enabled, feeback from @CJ
- Added Suricata and Zenarmor to the right spots with feedback from @mb: https://forum.opnsense.org/index.php?topic=36369.0

[CJ]

The only note I have is that it's not Block and then Pass rules.  It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.

[Monviech (Cedrik)]

The only note I have is that it's not Block and then Pass rules.  It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.

Thank you CJ I adjusted the diagram. Do you know where Zenarmor would match here? Same spot as Suricata?

[lilsense]

I would love to see one that looks like the netfilter shown below:


your process does not include the suricata and/or Zenarmor integration packet flows

[Monviech (Cedrik)]

@lilsense

I know what you mean. I would like something like the junos packet flow:

But since I'm fishing for feedback, I'm keeping it as a simple ASCII so I can adjust it quickly to new information. Once it's solid, I'm going to do a proper one, I promise

[CJ]

The only note I have is that it's not Block and then Pass rules.  It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.

Thank you CJ I adjusted the diagram. Do you know where Zenarmor would match here? Same spot as Suricata?

Unfortunately, I don't.  I haven't really dug into the guts of the packet flow.  I only wanted to point out the bit about the Quick rules because I've seen that trip people up.

[Monviech (Cedrik)]

Ive updated the diagram since I found out by reading old forum posts that Opnsense uses PF and IPFW in conjunction. PF is for NAT and Packet Filtering, and IPFW with dummynet is used for traffic shaping and captive portal.

I have also reached out to SunnyValley about Zenarmor and implemented their response into the packet flow, together with Suricata at the right spot.

[krishcomment]

Your packet flow diagram is thorough and seems well-structured. It's great that you're inviting feedback from the community to ensure accuracy.

For those working on similar projects, I’ve found that tools like Creately can be really helpful in visualizing complex flow diagrams like this. It’s user-friendly and can make these processes easier to map out.

https://creately.com/diagram-community/popular/t/flowchart- packet flow diagrams and more community flowcharts

[chemlud]

Where would be Suricata in IDS mode?

[Monviech (Cedrik)]

Well same, but instead of dropping the packet it will just log.

[chemlud]

in my head IDS was only after (!) packages were handled already by pf, but maybe I mix things up with Snort and the other sense...

[doktornotor]

Before or after, does not matter. Suricata as IDS does not block anything via pf on OPNsense.

[Patrick M. Hausen]

Before or after, does not matter. Suricata as IDS does not block anything via pf on OPNsense.

Disagree because if it's after pf, then packets blocked by pf won't be inspected by the IDS.

[doktornotor]

Ok. I don't particularly care about inspecting what's already been inspected and blocked elsewhere.

[chemlud]

Packet Flow Diagram -> documentation purposes ;-)