Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Do not log TCP packets with flags TCP:RA / TCP:PA etc.

    Scheduled Pinned Locked Moved Firewalling
    30 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @mcury
      last edited by

      @mcury said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

      and all UDP traffic that hit both WANs

      You might want to limit that to interesting ports if your goal is trim down the amount of noise your logging. My interesting ports is a pretty long list, but it does reduce some of the noise not logging every port ;)

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      M 1 Reply Last reply Reply Quote 1
      • M
        mcury @johnpoz
        last edited by

        @johnpoz said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

        You might want to limit that to interesting ports if your goal is trim down the amount of noise your logging. My interesting ports is a pretty long list, but it does reduce some of the noise not logging every port ;)

        I'll start preparing that list now.. =)

        dead on arrival, nowhere to be found.

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @mcury
          last edited by johnpoz

          @mcury here is my list.. It prob way longer than need/should be but I had does some looking to what ports to put in there while back..

          2:3 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          7 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          9 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          13 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          17 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          19:23 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          37:38 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          42 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          49 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          67:69 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          80 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          88 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          111:113 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          120 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          135:139 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          158 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          161:162 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          177 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          192 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          199 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          207 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          217 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          363 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          389 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          402 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          407 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          427 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          434 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          443 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          445 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          464 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          497 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          500 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          502 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          512:515 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          517:518 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          520 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          539 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          559 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          593 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          623 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          626 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          631 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          639 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          643 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          657 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          664 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          682:689 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          764 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          767 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          772:776 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          780:782 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          786 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          789 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          800 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          814 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          826 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          829 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          838 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          902:903 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          944 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          959 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          965 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          983 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          989:990 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          996:1001 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          1007:1008 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          1012:1014 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          1019:1051 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          1053:1060 Entry added Thu, 17 Oct 2019 06:17:40 -0500
          53 Entry added Thu, 17 Oct 2019 12:07:49 -0500
          123 Entry added Sat, 11 Apr 2020 02:33:04 -0500
          33434 Odd port from pfsense forums
          

          Wow from 2019, man time flies.. Doesn't seem like that long ago that I did that ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          M 1 Reply Last reply Reply Quote 1
          • m0ursM
            m0urs @bmeeks
            last edited by m0urs

            @bmeeks
            Unfortunately it seems not to work that way. I still get packets logged with these flags set:

            c34ff848-a91c-4dac-b2c0-93681a5621eb-image.png

            Do not get confused, I named my self created rule "Default blocking rule", but the ID is my own rule and not the pfSense default rule.

            Here is the rule I created:

            7bf8dc21-035c-46ff-9776-31373ad24ce9-image.png

            93835a43-fd4b-44a4-9cb9-36b3b01363be-image.png

            What am I doing wrong?

            M 1 Reply Last reply Reply Quote 0
            • M
              mcury @johnpoz
              last edited by mcury

              @johnpoz Wol, that is indeed a long list, I was thinking about ports:

              7 WOL common used
              9 WOL default
              53 DNS
              67:68 DHCP
              80 QUIC
              88 Kerberos
              123 NTP
              443 QUIC
              500 IPsec
              514 Syslog
              1194:1198 Common OpenVPN ports..
              4500 NAT-T
              

              dead on arrival, nowhere to be found.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • M
                mcury @m0urs
                last edited by

                @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                What am I doing wrong?

                Did you disable this ?

                24112498-ef2f-4826-9425-2ac6a8912499-image.png

                dead on arrival, nowhere to be found.

                m0ursM 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @mcury
                  last edited by johnpoz

                  @mcury yeah its a bit long.. I went a bit overboard when was looking into ports that might be good to log.. I could prob trim it down.. But I really don't see much udp traffic even with that long list.

                  Yeah default deny logging is off

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • m0ursM
                    m0urs @mcury
                    last edited by

                    @mcury said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                    Did you disable this ?

                    Yes.

                    As I said: The logging comes from my own created rule and not from the pfSense default blocking rule.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mcury @m0urs
                      last edited by

                      @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                      The logging comes from my own created rule and not from the pfSense default blocking rule.

                      I'm trying to replicate this here, but now filtering TCP:S only, in my LAN networks.

                      dead on arrival, nowhere to be found.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mcury @mcury
                        last edited by

                        Are you using that "Invert match" option for source or destination in that rule ? So far, I'm unable to replicate this behavior here but I'm not using those options.

                        dead on arrival, nowhere to be found.

                        m0ursM 2 Replies Last reply Reply Quote 0
                        • m0ursM
                          m0urs @mcury
                          last edited by

                          @mcury No, I do not use "Invert Match". That is my definition, together with that TCP Flags option mentioned above:

                          5e3f4c21-62e3-46e7-a1c4-963fee7d2124-image.png

                          1 Reply Last reply Reply Quote 0
                          • m0ursM
                            m0urs @mcury
                            last edited by

                            @mcury ah, maybe this does not work if protocol set to "Any"? I will try with Protocol set to "TCP" ...

                            m0ursM 1 Reply Last reply Reply Quote 0
                            • m0ursM
                              m0urs @m0urs
                              last edited by

                              @mcury

                              No, unfortunately that did not change anything. These kind of packets are still logged by that rule:

                              70421b24-d1ae-41af-bf94-6343b09cd5ad-image.png

                              You you explain me a bit more, what how this "TCP flag" setting is working? I still did not get it. What exactly is meant by "set" and "out of"?

                              M 1 Reply Last reply Reply Quote 0
                              • M
                                mcury @m0urs
                                last edited by

                                @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                                What exactly is meant by "set" and "out of"?

                                https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#tcp-flags

                                dead on arrival, nowhere to be found.

                                m0ursM 1 Reply Last reply Reply Quote 0
                                • m0ursM
                                  m0urs @mcury
                                  last edited by m0urs

                                  @mcury

                                  "By default, new pass rules for TCP only check for the TCP SYN flag to be set, out of a possible set of SYN and ACK."

                                  Hm, so I would say that I just need to create a normal rule without any options enabled in "TCP flag"? In this case I do get a logging entry if there is something blocked with SYNC flag and no more logging entries for all the other packtes?

                                  That would be what I wanted?

                                  Update: It says "new PASS rules", but I have a REJECT rule?

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    mcury @m0urs
                                    last edited by

                                    @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                                    @mcury

                                    "By default, new pass rules for TCP only check for the TCP SYN flag to be set, out of a possible set of SYN and ACK."

                                    Hm, so I would say that I just need to create a normal rule without any options enabled in "TCP flag"? In this case I do get a logging entry if there is something blocked with SYNC flag and no more logging entries for all the other packtes?

                                    That would be what I wanted?

                                    Yes, try that and report back.
                                    Other option would be to create a new rule below that one, and set flags to all but SYN, and set to no log.

                                    dead on arrival, nowhere to be found.

                                    m0ursM 1 Reply Last reply Reply Quote 0
                                    • m0ursM
                                      m0urs @mcury
                                      last edited by

                                      @mcury I had a look into the Packet Filter rules generated by pfSense.

                                      Could it be that these options are only used for PASS rules but not for BLOCK rules?

                                      Here is the output for that rule either with PASS:

                                      [2.7.2-RELEASE][root@router02.urs.lan]/root: pfctl -vvsr | grep "33276"
                                      
                                      @177 pass in log quick on igb2.20 inet all flags S/SA keep state label "USER_RULE" label "id:1704133276" ridentifier 1704133276
                                      

                                      and with BLOCK:

                                      [2.7.2-RELEASE][root@router02.urs.lan]/root: pfctl -vvsr | grep "33276"
                                      
                                      @177 block drop in log quick on igb2.20 inet all label "USER_RULE" label "id:1704133276" ridentifier 1704133276
                                      
                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @m0urs
                                        last edited by

                                        @m0urs not sure what your looking at exactly - but those rules block and only syn..

                                        block.jpg

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        m0ursM 2 Replies Last reply Reply Quote 0
                                        • m0ursM
                                          m0urs @johnpoz
                                          last edited by

                                          @johnpoz

                                          Notice the "flag s/s" in your blocking rule?

                                          Compare it with my blocking rule above, which is missing that ...

                                          So I guess that is the reason, why it is not working for me.

                                          If I change the rule to "PASS" then the "flag s/s" is added. If I change it back to "BLOCK", it is missing!?

                                          1 Reply Last reply Reply Quote 0
                                          • m0ursM
                                            m0urs @johnpoz
                                            last edited by

                                            @johnpoz Ok, I think I need to set that rule to protocol "TCP" and not "ANY". In this case the "flag s/s" is added. I will try again an recreate the rules.

                                            johnpozJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.