PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
+# Name of the firewall chain.
+FW_CHAIN="IPS"
+
+# Optional options for the Netfilter queue.
+NFQ_OPTS="--queue-bypass "
+
+# Array containing the 4 possible network zones.
+network_zones=( red green blue orange )
+
+# Mark and Mask options.
+MARK="0x1"
+MASK="0x1"
+
case "$1" in
start)
# Get amount of CPU cores.
[ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
done </proc/cpuinfo
- boot_mesg "Starting Intrusion Detection System..."
- /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
- evaluate_retval
+ # Check if the IDS should be started.
+ if [ "$ENABLE_IDS" == "on" ]; then
+ # Loop through the array of network zones.
+ for zone in "${network_zones[@]}"; do
+ # Convert zone into upper case.
+ zone_upper=${zone^^}
+
+ # Check if the IDS is enabled for this network zone.
+ if [ "$ENABLE_IDS_$$zone_upper" == "on" ]; then
+ # Generate name of the network interface.
+ network_device=$zone
+ network_device+="0"
+
+ # Assign NFQ_OPTS
+ NFQ_OPTIONS=$NFQ_OPTS
+
+ # Check if there are multiple cpu cores available.
+ if [ "$CPUCOUNT" > 0 ]; then
+ # Balance beetween all queues.
+ NFQ_OPTIONS+="--queue-balance 0:"
+ NFQ_OPTIONS+=$(($CPUCOUNT-1))
+ else
+ # Send all packets to queue 0.
+ NFQ_OPTIONS+="--queue-num 0"
+ fi
+
+ # Create firewall rules to queue the traffic and pass to
+ # the IDS.
+ iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+ iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+ fi
+ done
+
+ # Start the IDS.
+ boot_mesg "Starting Intrusion Detection System..."
+ /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
+ evaluate_retval
+ fi
;;
stop)
boot_mesg "Stopping Intrusion Detection System..."
killproc -p /var/run/suricata.pid /var/run
+ # Flush firewall chain.
+ iptables -F $FW_CHAIN
+
# Remove suricata control socket.
rm /var/run/suricata/* >/dev/null 2>/dev/null