Hello,
I am runnning suricata-7.0.2-r0 on Alpine Linux 3.19 in an LXC container, installed with apk.
Suricata runs in IPS mode with nfq, I have dedicated chains after the normal nftables chains like
table ip IPS4 {
chain FORWARD4 {
type filter hook forward priority 10; policy accept;
ip version 4 counter queue num 2 bypass
}
}
suricata is started with -q 2,
the nfq config:
nfq = (null)
nfq.mode = accept
nfq.repeat-mark = 1
nfq.repeat-mask = 1
nfq.bypass-mark = 1
nfq.bypass-mask = 1
nfq.route-queue = 10
nfq.fail-open = yes
The system acts as vpn gateway with 2 interfaces, hence with ip_forward=1.
There is only one drop rule as example which is functional.
When there is a TCP connection over the system, eg SSH, and it is idle longer than 600 s the further packets are dropped, probably because of flow-timeouts.tcp.established=600?
Is this behaviour intended?
Is there a workaround?
My conntrack adjustment on the gateway is nf_conntrack_tcp_timeout_established=28800.
–
Thanks!
Stefan