For the XML files you should check the firewalld documentation on direct.xml: Documentation - Direct Interface | firewalld
But once you have this, you can follow our existing documentation at: 13. Setting up IPS/inline for Linux — Suricata 5.0.3 documentation
If you are using the CentOS/EPEL RPM and systemd you’ll probably want to tweak /etc/sysconfig/suricata by removing the -i <interface> option and adding -q 0.
Thank you so much for your help.
The firewalld document said:
It can also be used to add rules to the firewall, that are not supported by firewalld directly, yet. But it advised to use it carefully and only by advanced users.
With that xml file and removing the -i <interface> option and adding -q 0, my Suricata-IDS working as IPS?
I’d argue that this is perhaps advanced usage of firewalld as it does seem a little out of the scope of the built-in firewalld commands.
In theory, yeah, you should have an IPS. You’ll still have to convert some rules to drop though. SID 2100498 might be a good one, then test a curl http://codemonkey.net/testmyids.com.
One aspect not mentioned is the order of app execution. When starting fail2ban and suricata, fail2ban should be started first. Otherwise, suricata could be in the list before fail2ban entries which would defeat the purpose of fail2ban. (i am presuming blocking IPs is less expensive than inspecting packets.)
Below is a partial list of entries in my firewall. Suricata runs IPS and drops packets not blocked by fail2ban.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
65354 10M f2b-cgp-s tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
92049 5928K f2b-sri-1 udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
49462 9410K f2b-assp tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
2087K 909M NFQUEUE all – * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 bypass
206 48631 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Thank you.
Anyone here that could help me about configuration Suricata-ids with Firewalld?