Zenarmor packet flow

Started by Monviech (Cedrik), October 10, 2023, 02:39:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 10, 2023, 02:39:25 PM
Hello Zenarmor team,

I would like to know where to add your product into a packet flow diagram (non official, community), that shows OPNsense packet handling:

https://forum.opnsense.org/index.php?topic=36326.0

Thank you :)
Hardware:
DEC740
October 10, 2023, 06:15:14 PM #1
Hi @Monviech,

That's a very helpful initiative, thanks.

Zenarmor (or Suricata in IPS mode) will be just between Ingress Interface and Scrub; and for the Egress path, it'll be between Traffic Shaping and Egress Interface.

Hope this inforamtion is helpful.
October 10, 2023, 06:35:35 PM #2 Last Edit: October 10, 2023, 06:37:14 PM by Monviech
Hello @mb,

thank you for your reply. Just to make sure I have understood you correctly, here's the updated Diagram. Does this look right?

Quote
Ingress Traffic:
1. Ingress Interface
   |
2. Next Generation Firewall (Ingress)
   |----> 2.1 Suricata (IPS mode) (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |----> 2.2 Zenarmor (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |
3. Scrub (normalize, reassemble fragments, etc.)
   |
4. 1:1 NAT (Bi-directional NAT)
   |----> 4.1 Match Rules (Static NAT - BINAT - 1:1 NAT)
   |
5. Destination NAT (Port Forward or Redirection)
   |----> 5.1 Match Rules (DNAT - Port Forward)
   |
6. Source NAT (Outbound NAT)
   |----> 6.1 Match Rules (SNAT - Outbound)
   |
7. Is Packet First in Flow?
   |----> Yes:
   |      |----> 7.1 Filter Rules
   |      |       |----> 7.1.1 Block/Pass (Quick) in order of rules until
   |      |                          first match, then terminates further
   |      |                          evaluation
   |      |       |----> 7.1.2 Block/Pass (without Quick) until best
   |      |                          match, if no prior quick rule matched
   |      |----> 7.2 Create State Entry (if rule has state tracking)
   |----> No:
   |      |----> 7.3 Use Existing State Entry
   |
8. Routing Decision (determine egress interface)
   |
9. Traffic Shaping
   |
10. Next Generation Firewall (Egress)
   |----> 10.1 Suricata (IPS mode) (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |----> 10.2 Zenarmor (depends on selected Interfaces)
   |      |----> If Block Rule Matches, Drop Packet
   |      |----> Else, Continue
   |
11. Egress Interface
Hardware:
DEC740
Print
Go Up Pages1
User actions