• I just noticed that on two of my pfSense boxes (2.1-RELEASE), 'Last config change' shows a time when I did not make any config changes. Nobody else should have access to these systems and according to system logs, nobody was logged in to the web interface or command line at that time.
    The only line in system logs which coincides with the last config change timestamp is

    check_reload_status: Syncing firewall

    which seems to be logged not only at these times, but quite frequently.

    Is this an indicator of compromised system, or is there a normal explanation to this?

  • OK, possible explanation found. I am running the bind package with some slave zones, and the timestamp of newest zone database file coincides with the 'Last config change' timestamp.