Suricata - Divert (IPS)

Started by xpendable, January 30, 2026, 01:40:00 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
Today at 08:45:42 AM #30
Quote from: phanos on February 02, 2026, 12:22:53 PMI understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?
If it is already blocked by the FW rule, it does not need to be diverted further.
Today at 12:49:51 PM #31
Hi, regarding the Suricata crash issue with IPS Divert mode (https://github.com/opnsense/core/issues/9712), is anyone else affected by the same problem?
Today at 01:40:49 PM #32
Quote from: QuisaZaderak on Today at 08:45:42 AM
Quote from: phanos on February 02, 2026, 12:22:53 PMI understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?
If it is already blocked by the FW rule, it does not need to be diverted further.

Right but what about port forwarding? How you handle these? They do not seem to have direct to...
Today at 03:07:59 PM #33
Hello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.
Today at 04:11:12 PM #34
Quote from: szix96 on Today at 03:07:59 PMHello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.


I think you confused protocol divert with Advanced Options -> divert to. Or I miss something..
Today at 08:56:11 PM #35 Last Edit: Today at 09:04:18 PM by szix96
Quote from: Ametite on Today at 04:11:12 PM
Quote from: szix96 on Today at 03:07:59 PMHello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.


I think you confused protocol divert with Advanced Options -> divert to. Or I miss something..


Thank you, but i do not find it in the advanced settings in the FW rule just the protocol as divert.
edit: Found it in the new FW rules, so it is only available in the new rules, or is it also available in the legacy FW rules?


"To use the "Divert (IPS)" mode, you must use Firewall ‣ Rules [new] and create firewall rules that contain the "Divert-to" setting. Check the Rules manual for more information.
"
https://docs.opnsense.org/manual/ips.html
https://docs.opnsense.org/manual/firewall.html#divert-to
Print
Go Up Pages 1 2 3
User actions