Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Phishing

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 224 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AndyRHA
      AndyRH
      last edited by

      A short and interesting read about CARP traffic. Likely not new information for some.

      https://isc.sans.edu/diary/Catching+CARP+Fishing+for+Firewall+States+in+PFSync+Traffic/31616/?is=55349e6df1ae7d0eb1f5f3ef0a11b2b29cccb62b3a13d647441b48fa18c8f5d6

      o||||o
      7100-1u

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I can respect their desire to use the CARP puns but the way they wrote that is unnecessarily specific. While commonly found together, pfsync isn't tied to CARP. There are other HA mechanisms, or reasons to use pfsync w/o HA. Also using a dedicated interface for CARP traffic isn't a thing, even with unicast CARP it goes over the interface with the IP address only.

        Also they left out the ability for someone with access to that interface to alter the state table. Delete states, inject new states, etc. That's just as dangerous as sniffing the traffic, if not more so.

        The dangers of exposing pfsync traffic are well known and we do mention that concern in the docs, at least here:

        • https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html
        • https://docs.netgate.com/pfsense/en/latest/highavailability/settings.html#state-synchronization-settings-pfsync

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        AndyRHA 1 Reply Last reply Reply Quote 1
        • AndyRHA
          AndyRH @jimp
          last edited by

          @jimp I have no practical experience with CARP. I thought the article was interesting and may have relevance to the group. I also know that not everything is as black and white as a security guy thinks it is.
          Thank you for the additional information.

          o||||o
          7100-1u

          1 Reply Last reply Reply Quote 0
          • T
            TessaWalker
            last edited by

            It's helpful thanks for sharing.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.