]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bb46f3b)
suricata: Disable fail-open on NFQUEUE
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 3 Apr 2024 20:42:13 +0000 (21:42 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 5 Apr 2024 11:48:16 +0000 (12:48 +0100)
This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.

If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.

Fixes: #13642
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/suricata/suricata.yaml patch | blob | blame | history

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index fb4f9426b52b30b833ce790bc438617a4180ffe1..5bec5cd01486712efa0a47757136d615e0cd250b 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -351,7 +351,7 @@ nfq:
    bypass-mask: 1073741824
 #  route-queue: 2
 #  batchcount: 20
-   fail-open: yes
+   fail-open: no
 
 ##
 ## Step 5: App Layer Protocol Configuration
IPFire 2.x development tree