OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Zenarmor (Sensei) »
  • Zenarmor packet flow
« previous next »
  • Print
Pages: [1]

Author Topic: Zenarmor packet flow  (Read 2189 times)

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1596
  • Karma: 176
    • View Profile
Zenarmor packet flow
« on: October 10, 2023, 02:39:25 pm »
Hello Zenarmor team,

I would like to know where to add your product into a packet flow diagram (non official, community), that shows OPNsense packet handling:

https://forum.opnsense.org/index.php?topic=36326.0

Thank you :)
Logged
Hardware:
DEC740

mb

  • Hero Member
  • *****
  • Posts: 941
  • Karma: 99
    • View Profile
    • Sunny Valley Networks
Re: Zenarmor packet flow
« Reply #1 on: October 10, 2023, 06:15:14 pm »
Hi @Monviech,

That's a very helpful initiative, thanks.

Zenarmor (or Suricata in IPS mode) will be just between Ingress Interface and Scrub; and for the Egress path, it'll be between Traffic Shaping and Egress Interface.

Hope this inforamtion is helpful.
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1596
  • Karma: 176
    • View Profile
Re: Zenarmor packet flow
« Reply #2 on: October 10, 2023, 06:35:35 pm »
Hello @mb,

thank you for your reply. Just to make sure I have understood you correctly, here's the updated Diagram. Does this look right?

Quote
Ingress Traffic:
1. Ingress Interface
   |
2. Next Generation Firewall (Ingress)
   |----> 2.1 Suricata (IPS mode) (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |----> 2.2 Zenarmor (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |
3. Scrub (normalize, reassemble fragments, etc.)
   |
4. 1:1 NAT (Bi-directional NAT)
   |----> 4.1 Match Rules (Static NAT - BINAT - 1:1 NAT)
   |
5. Destination NAT (Port Forward or Redirection)
   |----> 5.1 Match Rules (DNAT - Port Forward)
   |
6. Source NAT (Outbound NAT)
   |----> 6.1 Match Rules (SNAT - Outbound)
   |
7. Is Packet First in Flow?
   |----> Yes:
   |      |----> 7.1 Filter Rules
   |      |       |----> 7.1.1 Block/Pass (Quick) in order of rules until
   |      |                          first match, then terminates further
   |      |                          evaluation
   |      |       |----> 7.1.2 Block/Pass (without Quick) until best
   |      |                          match, if no prior quick rule matched
   |      |----> 7.2 Create State Entry (if rule has state tracking)
   |----> No:
   |      |----> 7.3 Use Existing State Entry
   |
8. Routing Decision (determine egress interface)
   |
9. Traffic Shaping
   |
10. Next Generation Firewall (Egress)
   |----> 10.1 Suricata (IPS mode) (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |----> 10.2 Zenarmor (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |
11. Egress Interface
« Last Edit: October 10, 2023, 06:37:14 pm by Monviech »
Logged
Hardware:
DEC740
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Zenarmor (Sensei) »
  • Zenarmor packet flow
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2