My current experiments have gotten to the point where I can block
Test router is 10.1.1.20 on the WAN and 192.168.1.1 on the LAN.
LAN -> router-eth0
Sun May 28 14:56:28 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 10.1.1.20
WAN -> router-eth0
Sun May 28 16:06:29 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 10.1.1.200 -> 10.1.1.20
LAN -> WAN
Sun May 28 16:06:52 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 10.1.1.200
Sun May 28 16:07:46 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 8.8.8.8
LAN -> router-br-lan
Sun May 28 16:08:27 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 192.168.1.1
router -> router
Sun May 28 18:14:55 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 10.1.1.20 -> 10.1.1.20
Sun May 28 18:15:36 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.1 -> 192.168.1.1
If I ping from the router to anything else, it gets through, e.g., ping -c4 8.8.8.8 (real WAN) or 10.1.1.200 (testing WAN) or 192.168.1.121 (testing LAN) all respond and no log entries are generated.
I'm using three queues, each in their own chain, along with three threads in snort:
inet snort table with three chains
# nft list table inet snort
table inet snort {
chain input_ips {
type filter hook input priority mangle; policy accept;
counter queue flags bypass to 4
}
chain forward_ips {
type filter hook forward priority mangle; policy accept;
counter queue flags bypass to 5
}
chain prerouting_ips {
type filter hook prerouting priority mangle; policy accept;
counter queue flags bypass to 6
}
}
-
Has anyone been able to block pings originating from the router itself? (This seems like a major item, as if your router is compromised, lateral movement through the network is really trivial.)
-
Has anyone found a good reference for rule syntax? My attempts to create an ICMPv6 equivalent test rule have all failed.