• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Do not log TCP packets with flags TCP:RA / TCP:PA etc.

Scheduled Pinned Locked Moved Firewalling
30 Posts 4 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mcury @johnpoz
    last edited by Jan 1, 2024, 3:18 PM

    @johnpoz said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

    You might want to limit that to interesting ports if your goal is trim down the amount of noise your logging. My interesting ports is a pretty long list, but it does reduce some of the noise not logging every port ;)

    I'll start preparing that list now.. =)

    dead on arrival, nowhere to be found.

    J 1 Reply Last reply Jan 1, 2024, 3:31 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @mcury
      last edited by johnpoz Jan 1, 2024, 3:32 PM Jan 1, 2024, 3:31 PM

      @mcury here is my list.. It prob way longer than need/should be but I had does some looking to what ports to put in there while back..

      2:3 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      7 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      9 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      13 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      17 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      19:23 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      37:38 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      42 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      49 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      67:69 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      80 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      88 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      111:113 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      120 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      135:139 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      158 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      161:162 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      177 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      192 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      199 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      207 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      217 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      363 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      389 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      402 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      407 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      427 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      434 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      443 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      445 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      464 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      497 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      500 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      502 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      512:515 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      517:518 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      520 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      539 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      559 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      593 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      623 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      626 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      631 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      639 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      643 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      657 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      664 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      682:689 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      764 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      767 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      772:776 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      780:782 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      786 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      789 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      800 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      814 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      826 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      829 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      838 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      902:903 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      944 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      959 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      965 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      983 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      989:990 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      996:1001 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      1007:1008 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      1012:1014 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      1019:1051 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      1053:1060 Entry added Thu, 17 Oct 2019 06:17:40 -0500
      53 Entry added Thu, 17 Oct 2019 12:07:49 -0500
      123 Entry added Sat, 11 Apr 2020 02:33:04 -0500
      33434 Odd port from pfsense forums
      

      Wow from 2019, man time flies.. Doesn't seem like that long ago that I did that ;)

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      M 1 Reply Last reply Jan 1, 2024, 3:43 PM Reply Quote 1
      • M
        m0urs @bmeeks
        last edited by m0urs Jan 1, 2024, 3:40 PM Jan 1, 2024, 3:39 PM

        @bmeeks
        Unfortunately it seems not to work that way. I still get packets logged with these flags set:

        c34ff848-a91c-4dac-b2c0-93681a5621eb-image.png

        Do not get confused, I named my self created rule "Default blocking rule", but the ID is my own rule and not the pfSense default rule.

        Here is the rule I created:

        7bf8dc21-035c-46ff-9776-31373ad24ce9-image.png

        93835a43-fd4b-44a4-9cb9-36b3b01363be-image.png

        What am I doing wrong?

        M 1 Reply Last reply Jan 1, 2024, 3:44 PM Reply Quote 0
        • M
          mcury @johnpoz
          last edited by mcury Jan 1, 2024, 3:46 PM Jan 1, 2024, 3:43 PM

          @johnpoz Wol, that is indeed a long list, I was thinking about ports:

          7 WOL common used
          9 WOL default
          53 DNS
          67:68 DHCP
          80 QUIC
          88 Kerberos
          123 NTP
          443 QUIC
          500 IPsec
          514 Syslog
          1194:1198 Common OpenVPN ports..
          4500 NAT-T
          

          dead on arrival, nowhere to be found.

          J 1 Reply Last reply Jan 1, 2024, 3:44 PM Reply Quote 0
          • M
            mcury @m0urs
            last edited by Jan 1, 2024, 3:44 PM

            @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

            What am I doing wrong?

            Did you disable this ?

            24112498-ef2f-4826-9425-2ac6a8912499-image.png

            dead on arrival, nowhere to be found.

            M 1 Reply Last reply Jan 1, 2024, 3:46 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @mcury
              last edited by johnpoz Jan 1, 2024, 3:45 PM Jan 1, 2024, 3:44 PM

              @mcury yeah its a bit long.. I went a bit overboard when was looking into ports that might be good to log.. I could prob trim it down.. But I really don't see much udp traffic even with that long list.

              Yeah default deny logging is off

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                m0urs @mcury
                last edited by Jan 1, 2024, 3:46 PM

                @mcury said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                Did you disable this ?

                Yes.

                As I said: The logging comes from my own created rule and not from the pfSense default blocking rule.

                M 1 Reply Last reply Jan 1, 2024, 4:00 PM Reply Quote 0
                • M
                  mcury @m0urs
                  last edited by Jan 1, 2024, 4:00 PM

                  @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                  The logging comes from my own created rule and not from the pfSense default blocking rule.

                  I'm trying to replicate this here, but now filtering TCP:S only, in my LAN networks.

                  dead on arrival, nowhere to be found.

                  M 1 Reply Last reply Jan 1, 2024, 4:41 PM Reply Quote 0
                  • M
                    mcury @mcury
                    last edited by Jan 1, 2024, 4:41 PM

                    Are you using that "Invert match" option for source or destination in that rule ? So far, I'm unable to replicate this behavior here but I'm not using those options.

                    dead on arrival, nowhere to be found.

                    M 2 Replies Last reply Jan 1, 2024, 4:49 PM Reply Quote 0
                    • M
                      m0urs @mcury
                      last edited by Jan 1, 2024, 4:49 PM

                      @mcury No, I do not use "Invert Match". That is my definition, together with that TCP Flags option mentioned above:

                      5e3f4c21-62e3-46e7-a1c4-963fee7d2124-image.png

                      1 Reply Last reply Reply Quote 0
                      • M
                        m0urs @mcury
                        last edited by Jan 1, 2024, 4:52 PM

                        @mcury ah, maybe this does not work if protocol set to "Any"? I will try with Protocol set to "TCP" ...

                        M 1 Reply Last reply Jan 1, 2024, 5:04 PM Reply Quote 0
                        • M
                          m0urs @m0urs
                          last edited by Jan 1, 2024, 5:04 PM

                          @mcury

                          No, unfortunately that did not change anything. These kind of packets are still logged by that rule:

                          70421b24-d1ae-41af-bf94-6343b09cd5ad-image.png

                          You you explain me a bit more, what how this "TCP flag" setting is working? I still did not get it. What exactly is meant by "set" and "out of"?

                          M 1 Reply Last reply Jan 1, 2024, 5:36 PM Reply Quote 0
                          • M
                            mcury @m0urs
                            last edited by Jan 1, 2024, 5:36 PM

                            @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                            What exactly is meant by "set" and "out of"?

                            https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#tcp-flags

                            dead on arrival, nowhere to be found.

                            M 1 Reply Last reply Jan 1, 2024, 5:56 PM Reply Quote 0
                            • M
                              m0urs @mcury
                              last edited by m0urs Jan 1, 2024, 5:59 PM Jan 1, 2024, 5:56 PM

                              @mcury

                              "By default, new pass rules for TCP only check for the TCP SYN flag to be set, out of a possible set of SYN and ACK."

                              Hm, so I would say that I just need to create a normal rule without any options enabled in "TCP flag"? In this case I do get a logging entry if there is something blocked with SYNC flag and no more logging entries for all the other packtes?

                              That would be what I wanted?

                              Update: It says "new PASS rules", but I have a REJECT rule?

                              M 1 Reply Last reply Jan 1, 2024, 6:00 PM Reply Quote 0
                              • M
                                mcury @m0urs
                                last edited by Jan 1, 2024, 6:00 PM

                                @m0urs said in Do not log TCP packets with flags TCP:RA / TCP:PA etc.:

                                @mcury

                                "By default, new pass rules for TCP only check for the TCP SYN flag to be set, out of a possible set of SYN and ACK."

                                Hm, so I would say that I just need to create a normal rule without any options enabled in "TCP flag"? In this case I do get a logging entry if there is something blocked with SYNC flag and no more logging entries for all the other packtes?

                                That would be what I wanted?

                                Yes, try that and report back.
                                Other option would be to create a new rule below that one, and set flags to all but SYN, and set to no log.

                                dead on arrival, nowhere to be found.

                                M 1 Reply Last reply Jan 1, 2024, 6:26 PM Reply Quote 0
                                • M
                                  m0urs @mcury
                                  last edited by Jan 1, 2024, 6:26 PM

                                  @mcury I had a look into the Packet Filter rules generated by pfSense.

                                  Could it be that these options are only used for PASS rules but not for BLOCK rules?

                                  Here is the output for that rule either with PASS:

                                  [2.7.2-RELEASE][root@router02.urs.lan]/root: pfctl -vvsr | grep "33276"
                                  
                                  @177 pass in log quick on igb2.20 inet all flags S/SA keep state label "USER_RULE" label "id:1704133276" ridentifier 1704133276
                                  

                                  and with BLOCK:

                                  [2.7.2-RELEASE][root@router02.urs.lan]/root: pfctl -vvsr | grep "33276"
                                  
                                  @177 block drop in log quick on igb2.20 inet all label "USER_RULE" label "id:1704133276" ridentifier 1704133276
                                  
                                  J 1 Reply Last reply Jan 1, 2024, 6:48 PM Reply Quote 0
                                  • J
                                    johnpoz LAYER 8 Global Moderator @m0urs
                                    last edited by Jan 1, 2024, 6:48 PM

                                    @m0urs not sure what your looking at exactly - but those rules block and only syn..

                                    block.jpg

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    M 2 Replies Last reply Jan 1, 2024, 6:54 PM Reply Quote 0
                                    • M
                                      m0urs @johnpoz
                                      last edited by Jan 1, 2024, 6:54 PM

                                      @johnpoz

                                      Notice the "flag s/s" in your blocking rule?

                                      Compare it with my blocking rule above, which is missing that ...

                                      So I guess that is the reason, why it is not working for me.

                                      If I change the rule to "PASS" then the "flag s/s" is added. If I change it back to "BLOCK", it is missing!?

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        m0urs @johnpoz
                                        last edited by Jan 1, 2024, 6:59 PM

                                        @johnpoz Ok, I think I need to set that rule to protocol "TCP" and not "ANY". In this case the "flag s/s" is added. I will try again an recreate the rules.

                                        J 1 Reply Last reply Jan 1, 2024, 7:16 PM Reply Quote 0
                                        • J
                                          johnpoz LAYER 8 Global Moderator @m0urs
                                          last edited by Jan 1, 2024, 7:16 PM

                                          @m0urs yeah tcp is what has syn.. so that is prob a requirement

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          M 1 Reply Last reply Jan 1, 2024, 11:20 PM Reply Quote 0
                                          19 out of 30
                                          • First post
                                            19/30
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received