Dear @misc
We test OpenBSD with Suricata in IPS mode.
IPS mode requires PF divert-packet.
simple rule to divert:
pass in log quick on $xxxx_if proto tcp from !<ADMINIPs> to any
divert-packet port 700
At first look everything is good!
The packet goes to suricata, suricata check packet, if packet is "bad",
throw away.
But, not working good!
if suricata does not drop packet, packet does not reinjected to PF!
After divert-packet rule, any rule nothing works.
a simple example:
pass in log quick on $xxxx_if proto tcp from !<ADMINIPs> to any
divert-packet port 700
block log all
I'm trying to connect to host with SSH, divert to suricata is okay, and
SSH connect is successful.
Why? Next rule is block all!
i thought apples wouldn't reinject packets, so i made a simple test:
https://man.openbsd.org/divert.4 - example C code
If i replaced suricate with example C code, the situation is the same!
I see the packet in example log, and SSH connection is successfully.
I think PF divert-packet does not reinject packets to PF.
Is there a solution for this?
--
Üdvözlettel,
Szél Gábor
WanTax Kft.
------------
tel.: +36 20 3838 171
fax: +36 82 357 585
email: gabor.s...@wantax.hu
web: http://wantax.hu
web: http://halozatom.hu
