在nfqueue模式下停止suricata,启用防火墙规则,杀死所有连接

stopping suricata in nfqueue mode, with FW rules enabled, kills all connections

I have installed suricata 4.0 in IPS mode per the docs here:

I can start it with /etc/init.d/suricata start, but as soon as i stop it with /etc/init.d/suricata stop it will drop all connections to the box and not allow further connections. I have run: sudo iptables -A OUTPUT -j NFQUEUE & sudo iptables -A INPUT -j NFQUEUE only after starting b/c if i run these beforehand, the same thing occurs, all connections are dropped and i can't ssh back into the box.

It will restart (with iptable rules enabled), but connections are on hold (can't type or ssh from another location) while the restart is in progress, and while it takes about 5 seconds, it does come back successfully.

This leads me to a few questions, but lets keep it at one, how can i add these firewall rules without having something listening reading NFQUEUE Since suricata will forward or drop, i assume since they don't get removed from the queue, they are never processed further.

Thanks!

:slaps forehead:

https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/

You can add --queue-bypass. I'll request that the documentation is updated. I'm not out of the woods, but past this issue.

Best,

FWIW, you can also add: -A INPUT -s 123.456.789.101/08 -p tcp --dport 22 -j ACCEPT before the NFQUEUE entries, which will ensure you can at least connect to the box and remove the queue entries. Of course the cidr should be your own.