# DRAFT: RedHat EL 9 AF_PACKET IPS Guide
This guide should help you configure a RedHat EL 9 machine to be a Suricata AF_PACKET IPS host.
This guide assumes there are 3 network ports available. 2 ports will be the IPS devices, and one port will be management interface. For the examples in this guide the following interfaces are used:
- enp1s0: management port
- enp7s0: ips device 1
- enp8s0: ips device 2
## Configure an Interface to be Up with No Address
As Suricata will copy packets received on `enp7s0` directly out to `enp8s0`, and packets received on `enp8s0` directly out `enp7so`, it is suggested that these devices that make up the IPS pair do not have IP addresses. If they did have IP addresses, and connections were made to those addresses, Suricata will still forward the packets out the other end, which is usually not a desirable behaviour. So its best to just remove the IP addresses from these devices.
Using `nmcli connection show`, find the profile name of the first device to be configured as an IPS device.
Example output:
```
NAME UUID TYPE DEVICE
enp1s0 ff38e481-bdca-33e4-97b2-510a56eeded0 ethernet enp1s0
lo ca86ef74-fd4f-48bb-9fa1-80e87b20786e loopback lo
Wired connection 1 2263d886-f3af-3d06-9d20-e86a40e74617 ethernet enp7s0
Wired connection 2 6c5cc13e-48a1-34d1-8018-280c03b5d2a8 ethernet enp8s0
```
in this example we are configuring `enp7s0` and `enp8s0` to be the devices that form the IPS pair. We want these devices to be configured in an `up` state but without IP addresses.
Optional: Rename the network profiles. For this guide, we'll give the network profiles a name that matches their purpose:
- Rename "Wired connection 1" to "IPS1":
```
nmcli connection modify "Wired connection 1" connection.id IPS1
```
- Rename "Wired connection 2" to "IPS2":
```
nmcli connection modify "Wired connection 2" connection.id IPS2
```
Now configure the IPS1 and IPS2 connection to have no IP addresses, but still be in an *up* state:
```
nmcli connection modify IPS1 ipv4.method disabled connection.autoconnect yes
nmcli connection modify IPS1 ipv6.method disabled connection.autoconnect yes
nmcli connection modify IPS2 ipv4.method disabled connection.autoconnect yes
nmcli connection modify IPS2 ipv6.method disabled connection.autoconnect yes
```
Now reboot to test that this configuration sticks over a reboot.
After a reboot, you should see that your IPS network devices are up but do not have an ip address:
```
$ ip a
3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:db:41:ab brd ff:ff:ff:ff:ff:ff
4: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:6a:3f:96 brd ff:ff:ff:ff:ff:ff
```
## Example `af-packet` Suricata Configuration
```
af-packet:
- interface: enp7s0
threads: auto
cluster-type: cluster_flow
cluster-id: 7
copy-mode: ips
copy-iface: enp8s0
use-mmap: yes
- interface: enp8s0
threads: auto
cluster-id: 8
cluster-type: cluster_flow
copy-mode: ips
copy-iface: enp7s0
use-mmap: yes
```
## References
https://docs.suricata.io/en/latest/setting-up-ipsinline-for-linux.html#setting-up-ips-at-layer-2
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_ip_networking_with_nmcli
Sign in with Wallet
Connect another wallet