[pve-devel] pve-firewall : add support to suricata ips with NFQUEUE target

Alexandre DERUMIER aderumier at odiso.com
Fri Mar 14 11:06:14 CET 2014


>>Bu you should really  sleep a few hours (mail sent a 3:55?) 

I was doing some servers maintenance for work this night ;-)


>>Feel free to add that. 

Ok, I'll check that next week. (I'm working currently on ipset)



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 14 Mars 2014 09:49:42 
Objet: RE: [pve-devel] pve-firewall : add support to suricata ips with NFQUEUE target 

> I have secret plan to integrate suricata ips at the proxmox host level. 
> (I have critical vms, and customers require an ips sometime) 

You are always a step ahead ;-) 

Bu you should really sleep a few hours (mail sent a 3:55?) 

> ips can use a lot of cpu, and be able to enable it on specific vms, could be 
> worderfull. 
> 
> 
> They are a lot of information here 
> https://home.regit.org/2011/01/building-a-suricata-compliant-ruleset/ 
> 
> This can be done with netfilter target -J NFQUEUE 
> 
> example: -j NFQUEUE --queue-balance 0:1 
> 
> 
> The main difficulty is that NFQUEUE is an ending target, so I think the only 
> way (when also using netfilter firewall rules) is to replace -J ACCEPT with -j 
> NFQUEUE. 
> 
> 
> I would like to add an option in vmid.fw : enable_ips: 1 
> 
> then replace the -J ACCEPT with -J NFQUEUE .... 
> 
> 
> What do you think about it ? 

Feel free to add that. 



More information about the pve-devel mailing list