Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP block rule added by Snort package

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Sander88
      last edited by

      Hi,

      I'm seeing a lot of CARP blocks (a few every second) on the my primary PFSense node (part of a cluster of 2 nodes). This traffic is blocked by rule id 1000000201 which is created by the Snort package.

      less /tmp/rules.debug

      …

      Snort package

      block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
      block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"
      block in log quick proto carp from (self) to any tracker 1000000201
      pass  quick proto carp tracker 1000000202 no state
      …

      I have a few questions, I hope someone knows:

      • Why is this rule created?
      • Why does snort interfere with CARP?
      • Can this rule be changed (disable logging)?

      Thanks.

      Best regards,
      Sander Peterse</snort2c></snort2c>

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        That rule is NOT added by Snort. At all. Read /etc/inc/filter.inc

        https://github.com/pfsense/pfsense/blob/master/src/etc/inc/filter.inc#L4027

        1 Reply Last reply Reply Quote 0
        • S Offline
          Sander88
          last edited by

          Yeah you are right there. The comment suggests it's created by the Snort package (I guess there is a line break missing in the rules.debug file).

          Any idea why this rule is created? I guess there is a good reason for it  ;)

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            @Sander88:

            Any idea why this rule is created? I guess there is a good reason for it  ;)

            See https://redmine.pfsense.org/issues/5800

            1 Reply Last reply Reply Quote 0
            • S Offline
              Sander88
              last edited by

              Thanks, it makes sense. I will try to disable logging for this rule to prevent it from spamming the log (80% of the filter log contains this message).

              1 Reply Last reply Reply Quote 0
              • D Offline
                doktornotor Banned
                last edited by

                Not sure whether it's normal or not, anyway, the logging apparently is configurable via GUI.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.