From 69031f7674295d6d95219a97063c718beecc1052 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 3 Apr 2024 21:42:13 +0100
Subject: [PATCH] suricata: Disable fail-open on NFQUEUE

This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.

If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.

Fixes: #13642
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index fb4f9426b5..5bec5cd014 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -351,7 +351,7 @@ nfq:
    bypass-mask: 1073741824
 #  route-queue: 2
 #  batchcount: 20
-   fail-open: yes
+   fail-open: no
 
 ##
 ## Step 5: App Layer Protocol Configuration
-- 
2.39.5