I’ve had this off and on problem with Suricata running on pfSense where it will block IPs that exist on the pass list. I’ve researched and posted in the Netgate forums but have had limited success in permanently resolving the error. In pfSense I restart the entire Suricata service as well as each interface. I can check and see the IP is indeed in the pass list. If I (on the most recent one with the problem) run
Then I can see the IP in the list (it’s actually the IP/32 since that’s how it’s put it in case I need to expand the IP range). What else can I check or try? Yesterday I disabled the rule entirely so when it happened this morning it wound up disabling a whitelisted IP using a disabled rule. It just feels like there is a disconnect between pfSense and Suricata. In the Alerts page on pfSense it even has the indicators that the rule is disabled and the alerts for it suppressed.
So, I’m turning here. Where can I go on the CLI to try to understand what is happening? Thanks for any help!