pfSense - Allow All Traffic From Host

Hi All,

I have a hardened VM on my network I use to access TOR. I’d like to allow all traffic in and out of the VM to pass through Suricata without anything being blocked.

I’m currently using Legacy Mode on this VLAN, I tried adding an alias with the internal host IP and adding that to a Pass List, but when I attempted to establish a TOR circut, the rules still fired and blocked the traffic.

I’ve been looking around for an answer to this, but I haven’t found anything useful yet. Everything focuses on adding the external subnets and ip addresses to the passlist, that’s not what I want here.

Can anyone point me in the right direction here please?

Thanks!

Where and how do you run Suricata in that setup?
You could try a bpf-filter for the interface where suricata is seeing this traffic.

The Suricata package on pfSense uses a custom output plugin (exclusive to pfSense) to implement blocking. You need to post your Suricata questions for pfSense here: https://forum.netgate.com/category/53/ids-ips. That forum is exclusively for the support of the Suricata package on the pfSense firewall distro.

The custom plugin depends on the FreeBSD pf packet filter engine and a pre-defined pf table created by pfSense at bootup. The custom plugin does not support Aliases.

The solution you seek is to use a custom Pass rule with the IP address of your hardened VM as the destination. Pass rules are evaulated first in the stock pfSense configuration, thus any traffic destined for that IP will be unconditionally passed without any further inspection. Because the VM exists on an internal network (I assume), it will be part of the automatic pass list and it’s IP will never be blocked anyway. The Pass rule I mentioned will allow any inbound traffic to pass where the destination IP is the hardened VM’s IP address. Of course, for this to work, you must be running Suricata on the LAN (or other internal interface) so that it sees traffic after the typical NAT rules on the WAN are unwound. If running on the WAN, the only local IP address Suricata will see is the WAN’s external public IP.