Suricata

Dan Collins wrote:

I want to setup a bypass rule for any traffic going out from my local network.

Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)

Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.

My ultimate goal is for performance. Any help or suggestions is appreciated.

I do not have the luxury to use BPF or XDP because I am just using the Suricata package in OPNsense.

Another question is, Do the default action-order rules still apply where pass and drop are done before the alert bypass is done?

And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter.

Dan Collins wrote:

And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter with bypass.