From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 3 Apr 2024 20:42:13 +0000 (+0100)
Subject: suricata: Disable fail-open on NFQUEUE
X-Git-Tag: v2.29-core185~9
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=69031f7674295d6d95219a97063c718beecc1052

suricata: Disable fail-open on NFQUEUE

This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.

If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.

Fixes: #13642
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index fb4f9426b..5bec5cd01 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -351,7 +351,7 @@ nfq:
    bypass-mask: 1073741824
 #  route-queue: 2
 #  batchcount: 20
-   fail-open: yes
+   fail-open: no
 
 ##
 ## Step 5: App Layer Protocol Configuration