Hi everyone,
I currently have a case in which my Network Firewall runs in the **Drop-all-established **mode and Alert. I also followed the centralized inspection design, which uses a Network Firewall to inspect all traffic inbound/outbound and cross vpc in the AWS environment.
So that I have a standard rule group to manage traffic between zones.
By the way, traffic going to a specific domain could not be leveraged on that rule group (I don't want to convert the domain to IP to add into the rule group). Then, I created a domain list rule group to add all domains that I would like the private resource to access. But it is not working; the domain in the domain list is somewhat like the below:
.example1.com
.example2.com
After that, I found an article about that, and I have to add one more Suricata-compatible rule group to define the flows:
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".example1.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".example1.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:2; rev:1;)
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".example2.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".example2.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:4; rev:1;)
The question is:
- I still do not understand why we need to config 2 rule groups in order to allow specific domain access (I tried to remove one, and it does not work)
- Is there any other way to do this? (I may be missing the concept, so it makes me do it in a complex way)
Thank you so much!