There are too many suricata processes when run inline using IPFW divert mode

william · January 14, 2023, 3:48am

Hi everyone,

I want IPFW firewall and Suricata to work together. Below is how I do:

Add a IPFW rule in divert mode, like this: ipfw add 100 divert 8000 ip from any to any
Start suricata in inline mode,like this: suricata -c /usr/local/etc/suricata/suricata1.yaml -d 8000 -D

It works for me. But when I add a new firewall rule, I have to start a new suricata process. A suricata process will use about 100MB RAM. So I cannot create too many firewall rules.

Is there any way to solve this problem?

Andreas_Herz · January 17, 2023, 8:26pm

What version are you running and can you please paste your suricata yaml?

william · January 18, 2023, 2:46am

Thank you for your reply.

The Suricata version is 6.0.6

This attachment is my yaml file.
suricata_zg1.yaml (66.5 KB)

Topic		Replies	Views
Ipfw: Write to ipfw divert socket failed: Message too long ips	9	24	November 6, 2024
IPFW woes and workarounds Tips and Tricks ips	1	1384	June 7, 2021
Rules for different network interfaces Help	7	1344	April 30, 2022
How to implement multiple tenants for ipfw mode? Is it difficult? Developers suricata	5	513	February 22, 2023
Issues with Suricata Working as IDPS Help ips , rules	3	174	November 4, 2024

There are too many suricata processes when run inline using IPFW divert mode

Related Topics