Support #3225
closed
Added by Dan Collins about 5 years ago.
Updated almost 3 years ago.
Description
I want to setup a bypass rule for any traffic going out from my local network.
Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)
Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.
My ultimate goal is for performance. Any help or suggestions is appreciated.
- Assignee set to Dan Collins
- Target version set to Support
Dan Collins wrote:
I want to setup a bypass rule for any traffic going out from my local network.
Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)
Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.
My ultimate goal is for performance. Any help or suggestions is appreciated.
I do not have the luxury to use BPF or XDP because I am just using the Suricata package in OPNsense.
Another question is, Do the default action-order rules still apply where pass and drop are done before the alert bypass is done?
And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter.
Dan Collins wrote:
And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter with bypass.
- Label deleted (
Outreachy)
- Status changed from New to Closed
Also available in: Atom
PDF