CARP block rule added by Snort package
-
Hi,
I'm seeing a lot of CARP blocks (a few every second) on the my primary PFSense node (part of a cluster of 2 nodes). This traffic is blocked by rule id 1000000201 which is created by the Snort package.
less /tmp/rules.debug
…
Snort package
block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"
block in log quick proto carp from (self) to any tracker 1000000201
pass quick proto carp tracker 1000000202 no state
…I have a few questions, I hope someone knows:
- Why is this rule created?
- Why does snort interfere with CARP?
- Can this rule be changed (disable logging)?
Thanks.
Best regards,
Sander Peterse</snort2c></snort2c> -
That rule is NOT added by Snort. At all. Read /etc/inc/filter.inc
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/filter.inc#L4027
-
Yeah you are right there. The comment suggests it's created by the Snort package (I guess there is a line break missing in the rules.debug file).
Any idea why this rule is created? I guess there is a good reason for it ;)
-
Any idea why this rule is created? I guess there is a good reason for it ;)
See https://redmine.pfsense.org/issues/5800
-
Thanks, it makes sense. I will try to disable logging for this rule to prevent it from spamming the log (80% of the filter log contains this message).
-
Not sure whether it's normal or not, anyway, the logging apparently is configurable via GUI.