I’m a long time fan of the Lawrence systems Youtube channel and I’m running pfSense (virtualized), FreeNAS etc with the help of these great videos.
Currently I’m changing the Suricata interfaces from “WAN only/catch all” to all individual networks (15). While this consumes a lot of more memory, it also gives me more insight on the local IP addresses on an alert. All of this based on the video: https://www.youtube.com/watch?v=S0-vsjhPDN0
Thing is, I’m also running local services (on pfSense) like OpenVPN and ACME auto certificate updates from Letsencrypt using TLS-ALPN on port 443.
If I switch to monitoring (and blocking alerts) on all interfaces (except WAN) in Suricate, do I loose protection of these internal services? A.k.a on which interfaces are these services ‘attached’?
Thanks for your reply. Yes I understand. But what I don’t understand is on what interface the local services (meaning the services running inside pfSense, like OpenVPN, ACME etc are on). I want to protect those as well. If I would select WAN in Suricata I assume everything is protected. But now I’m switching to the WAN site (all the individual VLAN interfaces) to reduce the noise and be able to see the actual internal IP’s instead of the WAN IP. But I’m not sure if the local services are then still protected. Do you understand where I’m going?