I’m a long time fan of the Lawrence systems Youtube channel and I’m running pfSense (virtualized), FreeNAS etc with the help of these great videos.
Currently I’m changing the Suricata interfaces from “WAN only/catch all” to all individual networks (15). While this consumes a lot of more memory, it also gives me more insight on the local IP addresses on an alert. All of this based on the video: https://www.youtube.com/watch?v=S0-vsjhPDN0
Thing is, I’m also running local services (on pfSense) like OpenVPN and ACME auto certificate updates from Letsencrypt using TLS-ALPN on port 443.
If I switch to monitoring (and blocking alerts) on all interfaces (except WAN) in Suricate, do I loose protection of these internal services? A.k.a on which interfaces are these services ‘attached’?