[pve-devel] pve-firewall : add support to suricata ips with NFQUEUE target
Dietmar Maurer
dietmar at proxmox.com
Fri Mar 14 09:49:42 CET 2014
> I have secret plan to integrate suricata ips at the proxmox host level.
> (I have critical vms, and customers require an ips sometime)
You are always a step ahead ;-)
Bu you should really sleep a few hours (mail sent a 3:55?)
> ips can use a lot of cpu, and be able to enable it on specific vms, could be
> worderfull.
>
>
> They are a lot of information here
> https://home.regit.org/2011/01/building-a-suricata-compliant-ruleset/
>
> This can be done with netfilter target -J NFQUEUE
>
> example: -j NFQUEUE --queue-balance 0:1
>
>
> The main difficulty is that NFQUEUE is an ending target, so I think the only
> way (when also using netfilter firewall rules) is to replace -J ACCEPT with -j
> NFQUEUE.
>
>
> I would like to add an option in vmid.fw : enable_ips: 1
>
> then replace the -J ACCEPT with -J NFQUEUE ....
>
>
> What do you think about it ?
Feel free to add that.
More information about the pve-devel
mailing list