Ingress Traffic:1. Ingress Interface |2. Next Generation Firewall (Ingress) |----> 2.1 Suricata (IPS mode) (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |----> 2.2 Zenarmor (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |3. Scrub (normalize, reassemble fragments, etc.) ~PF~ |4. 1:1 NAT (Bi-directional NAT) ~PF~ |----> 4.1 Match Rules (Static NAT - BINAT - 1:1 NAT) |5. Destination NAT (Port Forward or Redirection) ~PF~ |----> 5.1 Match Rules (DNAT - Port Forward) |6. Source NAT (Outbound NAT) ~PF~ |----> 6.1 Match Rules (SNAT - Outbound) |7. Is Packet First in Flow? ~PF~ |----> Yes: | |----> 7.1 Filter Rules | | |----> 7.1.1 Block/Pass (Quick) in order of rules until | | first match, then terminates further | | evaluation | | |----> 7.1.2 Block/Pass (without Quick) until best | | match, if no prior quick rule matched | |----> 7.2 Create State Entry (if rule has state tracking) |----> No: | |----> 7.3 Use Existing State Entry |8. Routing Decision (determine egress interface) |9. Traffic Shaping ~IPFW with dummynet~ |10. Next Generation Firewall (Egress) |----> 10.1 Suricata (IPS mode) (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |----> 10.2 Zenarmor (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |11. Egress Interface
The only note I have is that it's not Block and then Pass rules. It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.
Quote from: CJ on October 08, 2023, 03:37:18 pmThe only note I have is that it's not Block and then Pass rules. It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.Thank you CJ I adjusted the diagram. Do you know where Zenarmor would match here? Same spot as Suricata?
Before or after, does not matter. Suricata as IDS does not block anything via pf on OPNsense.