There are too many suricata processes when run inline using IPFW divert mode

william · January 14, 2023, 3:48am

Hi everyone,

I want IPFW firewall and Suricata to work together. Below is how I do:

Add a IPFW rule in divert mode, like this: ipfw add 100 divert 8000 ip from any to any
Start suricata in inline mode,like this: suricata -c /usr/local/etc/suricata/suricata1.yaml -d 8000 -D

It works for me. But when I add a new firewall rule, I have to start a new suricata process. A suricata process will use about 100MB RAM. So I cannot create too many firewall rules.

Is there any way to solve this problem?

Andreas_Herz · January 17, 2023, 8:26pm

What version are you running and can you please paste your suricata yaml?

william · January 18, 2023, 2:46am

Thank you for your reply.

The Suricata version is 6.0.6

This attachment is my yaml file.
suricata_zg1.yaml (66.5 KB)

Topic		Replies	Views
IPFW woes and workarounds Tips and Tricks ips	1	1213	June 7, 2021
Rules for different network interfaces Help	7	1153	April 30, 2022
How to implement multiple tenants for ipfw mode? Is it difficult? Developers suricata	5	460	February 22, 2023
Suricata on BSD with PF firewall Help	1	669	April 1, 2022
Config Question: Suricata as an IDS + source IP Blocking on VPS w/1 network interface Help	9	1779	February 14, 2022

There are too many suricata processes when run inline using IPFW divert mode

Related Topics