pass list not working
-
Hello all,
I have been searching the forums and the net up and down but i am unable to find a solution. My enviroment is this:
pfsense: 2.5.2-RELEASE (amd64) built on Fri Jul 02 15:33:00 EDT 2021 FreeBSD 12.2-STABLE.
this pfsense is a vm sitting between other vms and the web. It is protecting some servers running on the LAN side. I am currently running both (as a test- it did work till a few weeks ago) Snort (4.1.4_3) and Suricata (6.0.3_3).I have setup a “Firewall Alias IP list” named “All_Allowed_Ips” with a few ips of servers on the wan side which should never be blocked. In Suricata i created a Pass List called “Suricata_Whitelist” and i added that “All_Allowed_Ips” as an assigend alias to it. i then assigned that pass list to the Suricata WAN interface and restarted the service.
The issue is this: one ip address on this aliassed “All_Allowed_Ips” list KEEPS getting blocked! I tried everything, creating new passlists, new alias list, rebooted the whole pfsense , checked for updates, etc. but it aint working, this ip is getting blocked multiple times a day. i know this because connections fail between servers, and the ip shows up in the Diagnostics -> Tables -> snort2c list.
What i also find (and i dont know if thats by design or related) when i go the the Suricata WAN interface, and click the View List button by Pass List, it does not show ANY ip from the aliassed white list (only shows the LAN ip`s, the gateway and the DNS.) i am out of ideas, anybody knows where i can look ? thanks!
-
There is an identified bug in the way the Pass List logic parses certain types of Aliases. This bug crept in as a result of fixing a different issue a few months back.
The fix has been posted, but has not yet been merged into the production package. Here is a link to the active pull request on GitHub: https://github.com/pfsense/FreeBSD-ports/pull/1117. If you are competent with PHP programming, you can manually edit the affected file and fix the issue yourself. Or else wait for the Netgate team to get the pull request merged into production. I'm not sure what that timeline is, though. I suspect they are all quite busy working on the 22.01 pfSense+ update.
-
@bmeeks i edited the suricata.inc and restarted the service. now i do see all the ip addresses from the aliased whitelist. Thank you very much!!