Pfsense error libnet

Hi,
I’m using suricata in pfsense 2.4.5 and my log file is being spammed with this error and don’t know how to fix it hoping someone can help me out here
ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(147)] - libnet_write failed: libnet_write_raw_ipv4(): -1 bytes written (Permission denied)

Kind Regards,
Genine Collin

Hi Genine, this error is generated as Suricata tries to send TCP RST or ICMP reachable packets after a reject rule has matched. As the error indicates, it doesn’t have the permission to do so.

I don’t know how pfSense works well enough to comment on why it gets this error. Possible causes could be that Suricata runs as a user that does not have permission to send packets on a raw socket. Another option is that local firewall rules block the sending of these packets.

I think it would be best to ask through the pfSense support channels.

Hi all,
I just came into this thread having the same problem today.

My issue was not getting the reject behavior, and getting the drop only effect (request timeout, no immediate connection reset) for filtered tls traffic.

After a couple of hours, I just figured out the reason and the solution for it in pfSense.

Suricata, is sending the RST flag from the Loopback interface (actually it has a command line parameter for selecting the interface but it did not work/help).

The “permission denied” error is due to the pfsense firewall blocking traffic (you can check it in the firewall log) The traffic is out from lo0 interface and is blocked by a default built-in (hardcoded) rule.

You cannot create a passing rule to override this behavior neither from pfSense GUI nor easyrule, as it does not know about “Loopback” in GUI and easyrule.

So, the solution is patching the file /etc/inc/filter.inc

There is a default hard-coded for passing loopback traffic (but not all TCP flags, S/SA only by default)
So, we are going to change this behavior by patching the file and reloading filters.

Search for this line:


pass out {$log['pass']} on \$loopback inet all ridentifier {$increment_tracker()} label "pass IPv4 loopback"

add “flags any” before “ridentifier” so the full line becomes:

pass out {$log['pass']} on \$loopback inet all flags any ridentifier {$increment_tracker()} label "pass IPv4 loopback" 

(There are two rules (IPv4 and IPv6))

Reload filter from the diagnostics GUI menu, and voila!