AWS firewall suricata rules not working as expected

Question

i am trying to understand how aws based suricata rules work. With these two rules below, all websites are working and i expect only for google.com to work. Am i missing any thing ? i understand that the order is pass, and then drop. i added the drop tcp with flow so tls.sni will be evaluated and the pass rule will work. It seems like it is working BUT i expected all other sites that don't match to not work ? (i have tried the DOMAIN LIST rule and that too doesn't work)

NOTE - default order is in use, no stateless rules, forwarding frag and no frag packets is configured, INT network forward to FW SUBNET and then to the NAT SUBNET which then forward to IGW. HOME_NET is the VPC CIDR and EXTERNAL_NET is 0.0.0.0/0

Rule 1
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:".google.com"; nocase; endswith; msg:"pp-Permit HTTPS access"; sid:1000001; rev:1;)

Rule 2
drop tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; msg:"pp-Deny all other TCP traffic"; sid: 1000003; rev:1;)

Accepted Answer

FYI, this was resolved.

In case any body is interested - This happened to be a routing issue. The NAT gateway subnet routing table had to include a return path explicitly via the firewall (gateway load balancer vpce-xxxx) entry. What's more troubling is that there is a lack of troubleshooting techniques and no mention in any documentation. I found one doc but that seems to suggest this is not required as the NAT gateway typically return the traffic from the same source it has received / which is not true.

AWS firewall suricata rules not working as expected

Contenus pertinents