In IPS mode you can block traffic bridged between two network interfaces using the following actions:
A packet containing a signature is discarded immediately and will not be sent any further. The receiver does not receive a message resulting in a time-out. All subsequent packets of a flow are dropped.
An active rejection of the packet, both a receiver and sender receive a reject packet. If the packet concerns TCP, it will be a reset-packet, otherwise it will be an ICMP-error packet for all other protocols.
Note
Suricata generates an alert in both IPS modes.
To enable IPS or inline mode (the Firewall Contrail’s service type),
use:
Netfilter on Linux.
Note
NFQ supports multiple queues processing, which you should specify explicitly in iptables rules and suricata command line options. For example, you can configure load balancing with NFQ as follows:
iptables -A INPUT -j NFQUEUE --queue-balance 0:3
suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3
A divert socket on FreeBSD.
Level 2 Linux bridge, which supports automatic load balancing for better performance.
Improve your performance with PF_RING ZC
if your NIC supports Zero Copy (ZC) mode as well.