I have installed suricata 4.0 in IPS mode per the docs here:
I can start it with
/etc/init.d/suricata start, but as soon as i stop it with
/etc/init.d/suricata stop it will drop all connections to the box and not allow further connections. I have run:
sudo iptables -A OUTPUT -j NFQUEUE & sudo iptables -A INPUT -j NFQUEUE
only after starting b/c if i run these beforehand, the same thing occurs, all connections are dropped and i can't ssh back into the box.
It will restart (with iptable rules enabled), but connections are on hold (can't type or ssh from another location) while the restart is in progress, and while it takes about 5 seconds, it does come back successfully.
This leads me to a few questions, but lets keep it at one, how can i add these firewall rules without having something listening reading
NFQUEUE Since suricata will forward or drop, i assume since they don't get removed from the queue, they are never processed further.
You can add
--queue-bypass. I'll request that the documentation is updated. I'm not out of the woods, but past this issue.
-A INPUT -s 123.456.789.101/08 -p tcp --dport 22 -j ACCEPTbefore the
NFQUEUEentries, which will ensure you can at least connect to the box and remove the queue entries. Of course the cidr should be your own.