@lluisclava said in Suricata Disabled by user rule, in blocked hosts again:
Dear bmeeks,
Thanks for your answer.
Yes, I cleared all the blocked hosts and checked the rule is disabled on WAN and LAN side. And keeps blocking again and again....
Any idea?
What kind of rules do you think it's important to enable on WAN and what's in LAN??
Thanks again!
If you are a home user, enable zero rules on the WAN. Do not even put Suricata (or Snort) on the WAN if you are a home user. Nothing but useless noise alerts/blocks on your WAN so long as you leave pfSense configured with the default "deny all inbound" rule intact. And by the way, it is extremely wasteful of firewall resources to run the same rules on the WAN and LAN. What would be the point of that?
If you have a disable rule still blocking, then the most likely cause of that is you have multiple instances of Suricata running on the same interface. When that happens, one of the instances will not respond to any GUI changes.
Execute this command from a CLI session on the firewall:
ps -ax | grep suricata
You should not see any duplicate output lines. You should see only one unique line per configured instance (for you, likely one for LAN and one for WAN). If you see duplicates, then go to the GUI INTERFACES tab for Suricata and stop all the configured interfaces. Return to the CLI session and repeat the command above and see if any Suricata processes remain. If you see any, kill them with this command:
kill -9 <pid>
where <pid> is the process ID of each still running instance.
Now go back to the INTERFACES tab and manually start your configured instances.