It seems the is an automatic IPv4 CARP rule is applied, when CARP is administratively disabled.
Can this tidied up?, such that when CARP is admin disabled, the automatic rule's are removed...
They do not open any attack vector, so why?
there mere fact that the rule is installed, and enabled, when CARP is admin disabled is sloppy in itself...needs to cleaned up....
It should be a simple trivial fix, so why you need to debate a useless point ?
Sorry, but disagree. It's perfectly feasible to have a set of static "always active" rules that provide fundamental functions even if these are not used. Like IPv6 neighbour discovers, IPv4 ARP, ...
There are bigger fish to fry in the firewall space.
and this type of response is why opnsense can never be taken as a serious F/W....
Nothing kills security faster than complexity. Fewer rules are always better. So I agree with hharry. If a feature is off, the rules shouldn't be there. This is the same reason why I would like to see the policy routing rule set by "Disable force gateway" be disabled by default or removed entirely.