Pfsense error libnet

genuine · April 19, 2020, 1:52am

Hi,
I’m using suricata in pfsense 2.4.5 and my log file is being spammed with this error and don’t know how to fix it hoping someone can help me out here
ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(147)] - libnet_write failed: libnet_write_raw_ipv4(): -1 bytes written (Permission denied)

Kind Regards,
Genine Collin

vjulien · April 19, 2020, 5:57am

Hi Genine, this error is generated as Suricata tries to send TCP RST or ICMP reachable packets after a reject rule has matched. As the error indicates, it doesn’t have the permission to do so.

I don’t know how pfSense works well enough to comment on why it gets this error. Possible causes could be that Suricata runs as a user that does not have permission to send packets on a raw socket. Another option is that local firewall rules block the sending of these packets.

I think it would be best to ask through the pfSense support channels.

Amr_Elsaqqa · October 26, 2022, 12:12am

Hi all,
I just came into this thread having the same problem today.

My issue was not getting the reject behavior, and getting the drop only effect (request timeout, no immediate connection reset) for filtered tls traffic.

After a couple of hours, I just figured out the reason and the solution for it in pfSense.

Suricata, is sending the RST flag from the Loopback interface (actually it has a command line parameter for selecting the interface but it did not work/help).

The “permission denied” error is due to the pfsense firewall blocking traffic (you can check it in the firewall log) The traffic is out from lo0 interface and is blocked by a default built-in (hardcoded) rule.

You cannot create a passing rule to override this behavior neither from pfSense GUI nor easyrule, as it does not know about “Loopback” in GUI and easyrule.

So, the solution is patching the file /etc/inc/filter.inc

There is a default hard-coded for passing loopback traffic (but not all TCP flags, S/SA only by default)
So, we are going to change this behavior by patching the file and reloading filters.

Search for this line:


pass out {$log['pass']} on \$loopback inet all ridentifier {$increment_tracker()} label "pass IPv4 loopback"

add “flags any” before “ridentifier” so the full line becomes:

pass out {$log['pass']} on \$loopback inet all flags any ridentifier {$increment_tracker()} label "pass IPv4 loopback"

(There are two rules (IPv4 and IPv6))

Reload filter from the diagnostics GUI menu, and voila!

Topic		Replies	Views
Suricata on pfSense blocking IPs on Pass List Help pfsense	16	7459	January 14, 2022
pfSense Suricata Crashes on Malformed Blocklist Entry Help ips , suricata	3	414	November 6, 2023
SURICATA HTTP unable to match response to request Rules	1	3213	November 1, 2021
Issues with Suricata Working as IDPS Help ips , rules	3	174	November 4, 2024
Whitelisting not working? Help pfsense	2	1081	September 19, 2022

Pfsense error libnet

Related Topics