Ingress Traffic:1. Ingress Interface |2. Next Generation Firewall (Ingress) |----> 2.1 Suricata (IPS mode) (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |----> 2.2 Zenarmor (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |3. Scrub (normalize, reassemble fragments, etc.) ~PF~ |4. 1:1 NAT (Bi-directional NAT) ~PF~ |----> 4.1 Match Rules (Static NAT - BINAT - 1:1 NAT) |5. Destination NAT (Port Forward or Redirection) ~PF~ |----> 5.1 Match Rules (DNAT - Port Forward) |6. Source NAT (Outbound NAT) ~PF~ |----> 6.1 Match Rules (SNAT - Outbound) |7. Is Packet First in Flow? ~PF~ |----> Yes: | |----> 7.1 Filter Rules | | |----> 7.1.1 Block/Pass (Quick) in order of rules until | | first match, then terminates further | | evaluation | | |----> 7.1.2 Block/Pass (without Quick) until best | | match, if no prior quick rule matched | |----> 7.2 Create State Entry (if rule has state tracking) |----> No: | |----> 7.3 Use Existing State Entry |8. Routing Decision (determine egress interface) |9. Traffic Shaping ~IPFW with dummynet~ |10. Next Generation Firewall (Egress) |----> 10.1 Suricata (IPS mode) (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |----> 10.2 Zenarmor (depends on selected Interfaces) | |----> If Block Rule Matches, Drop Packet | |----> Else, Continue |11. Egress Interface
The only note I have is that it's not Block and then Pass rules. It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.
Quote from: CJ on October 08, 2023, 03:37:18 pmThe only note I have is that it's not Block and then Pass rules. It's all rules in order until satisfying one that has a Quick tag or reaching the bottom.Thank you CJ I adjusted the diagram. Do you know where Zenarmor would match here? Same spot as Suricata?