Logging stops, pflog0 promiscuous
-
The firewall logging stops at regular intervals with pfSense 1.0.1 RELEASE and the only way to enable it again (I don't know any other way) is to reboot.
This happens when pflog0 sets promiscuous mode to disabled, for no apparent reason.
Nov 23 07:56:38 pfsense check_reload_status: updating dyndns Nov 23 07:56:39 pfsense php: : DynDns: Running updatedns() Nov 23 07:56:39 pfsense php: : DynDns: updatedns() starting Nov 23 07:56:39 pfsense php: : DynDns: _detectChange() starting. Nov 23 07:56:39 pfsense php: : DynDns: Current WAN IP: X.224.222.80 Nov 23 07:56:39 pfsense php: : DynDns: Cached IP: X.224.222.80 Nov 23 07:56:39 pfsense php: : phpDynDNS: No Change In My IP Address and/or 25 Days Has Not Past. Not Updating Dynamic DNS Entry. **Nov 23 07:56:52 pfsense kernel: pflog0: promiscuous mode disabled** Nov 23 08:26:41 pfsense dhclient[280]: DHCPREQUEST on em0 to Y.21.248.42 port 67 Nov 23 08:26:41 pfsense dhclient[280]: DHCPACK from Y.21.248.42 Nov 23 08:26:41 pfsense dhclient[280]: bound to X.224.222.80 – renewal in 1800 seconds. Nov 23 08:26:44 pfsense check_reload_status: rc.newwanip starting
At 07:56:52 promiscuous mode was disabled and the firewall logging stopped.
This happens at, as far as I can tell, at random intervals.
Is there anything that can be done about this, restarting a script or …?
-
First you really want to update to 1.0.1. Second, please post more logs around the time this stops. We need to get an idea of what is killing it.
-
maybe a crashing snort package ?
snort sets promiscuous mode to enabled
when snort crashes or stopt it is set back to normal ( promiscuous mode disabled) -
Well, this is 1.0.1 RELEASE - I think you didn't see that first line of mine in the message ;)
Installed on harddisk, from ISO/LiveCD, PC hardware, no CARP/IPSec/VPN/packages - just plain router/firewall config so far (evaluating performance and function).
Motherboard: ASUS P4P800-VM mATX
CPU: Celeron D, 2.8 GHz
Mem: 1 GB DDR400
Net: 2 * Intel Pro/1000 GT (82541PI chipset)
Most things otherwise disabled through BIOS settings.em0 -> WAN
em1 -> LANThis is what happened last time. Log from 30 minutes before and 30 minutes after prosmisuous mode was disabled. Promiscuous mode was disabled at 16:10:54.
system.log
Nov 24 15:10:13 pfsense php: : phpDynDNS: No Change In My IP Address and/or 25 Days Has Not Past. Not Updating Dynamic DNS Entry. Nov 24 15:40:05 pfsense dhclient[24646]: DHCPREQUEST on em0 to 172.21.248.42 port 67 Nov 24 15:40:05 pfsense dhclient[24646]: DHCPACK from 172.21.248.42 Nov 24 15:40:05 pfsense dhclient[24646]: bound to XX.224.220.yy – renewal in 1800 seconds. Nov 24 15:40:09 pfsense check_reload_status: rc.newwanip starting Nov 24 15:40:12 pfsense php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - XX.224.220.yy. Nov 24 15:40:12 pfsense php: : Creating rrd update script Nov 24 15:40:12 pfsense php: : Creating rrd graph index Nov 24 15:40:12 pfsense php: : Resyncing configuration for all packages. Nov 24 15:40:12 pfsense check_reload_status: reloading filter Nov 24 15:40:12 pfsense php: : FTP proxy disabled for interface LAN - ignoring. Nov 24 15:40:13 pfsense check_reload_status: updating dyndns Nov 24 15:40:14 pfsense php: : DynDns: Running updatedns() Nov 24 15:40:14 pfsense php: : DynDns: updatedns() starting Nov 24 15:40:14 pfsense php: : DynDns: _detectChange() starting. Nov 24 15:40:14 pfsense php: : DynDns: Current WAN IP: XX.224.220.yy Nov 24 15:40:14 pfsense php: : DynDns: Cached IP: XX.224.220.yy Nov 24 15:40:14 pfsense php: : phpDynDNS: No Change In My IP Address and/or 25 Days Has Not Past. Not Updating Dynamic DNS Entry. Nov 24 16:10:05 pfsense dhclient[24646]: DHCPREQUEST on em0 to 172.21.248.42 port 67 Nov 24 16:10:05 pfsense dhclient[24646]: DHCPACK from 172.21.248.42 Nov 24 16:10:05 pfsense dhclient[24646]: bound to XX.224.220.yy – renewal in 1800 seconds. Nov 24 16:10:05 pfsense check_reload_status: rc.newwanip starting Nov 24 16:10:07 pfsense php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - XX.224.220.yy. Nov 24 16:10:08 pfsense php: : Creating rrd update script Nov 24 16:10:08 pfsense php: : Creating rrd graph index Nov 24 16:10:08 pfsense php: : Resyncing configuration for all packages. Nov 24 16:10:08 pfsense check_reload_status: reloading filter Nov 24 16:10:08 pfsense php: : FTP proxy disabled for interface LAN - ignoring. Nov 24 16:10:08 pfsense check_reload_status: updating dyndns Nov 24 16:10:10 pfsense php: : DynDns: Running updatedns() Nov 24 16:10:10 pfsense php: : DynDns: updatedns() starting Nov 24 16:10:10 pfsense php: : DynDns: _detectChange() starting. Nov 24 16:10:10 pfsense php: : DynDns: Current WAN IP: XX.224.220.yy Nov 24 16:10:10 pfsense php: : DynDns: Cached IP: XX.224.220.yy Nov 24 16:10:10 pfsense php: : phpDynDNS: No Change In My IP Address and/or 25 Days Has Not Past. Not Updating Dynamic DNS Entry. **Nov 24 16:10:54 pfsense kernel: pflog0: promiscuous mode disabled** Nov 24 16:40:05 pfsense dhclient[24646]: DHCPREQUEST on em0 to 172.21.248.42 port 67 Nov 24 16:40:05 pfsense dhclient[24646]: DHCPACK from 172.21.248.42 Nov 24 16:40:05 pfsense dhclient[24646]: bound to XX.224.220.yy – renewal in 1800 seconds. Nov 24 16:40:06 pfsense check_reload_status: rc.newwanip starting Nov 24 16:40:06 pfsense login: login on ttyv0 as root Nov 24 16:40:09 pfsense php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - XX.224.220.yy. Nov 24 16:40:09 pfsense php: : Creating rrd update script Nov 24 16:40:09 pfsense php: : Creating rrd graph index Nov 24 16:40:09 pfsense php: : Resyncing configuration for all packages. Nov 24 16:40:09 pfsense check_reload_status: reloading filter Nov 24 16:40:09 pfsense php: : FTP proxy disabled for interface LAN - ignoring. Nov 24 16:40:10 pfsense check_reload_status: updating dyndns Nov 24 16:40:11 pfsense php: : DynDns: Running updatedns() Nov 24 16:40:11 pfsense php: : DynDns: updatedns() starting Nov 24 16:40:11 pfsense php: : DynDns: _detectChange() starting. Nov 24 16:40:11 pfsense php: : DynDns: Current WAN IP: XX.224.220.yy Nov 24 16:40:11 pfsense php: : DynDns: Cached IP: XX.224.220.yy Nov 24 16:40:11 pfsense php: : phpDynDNS: No Change In My IP Address and/or 25 Days Has Not Past. Not Updating Dynamic DNS Entry. Nov 24 17:10:05 pfsense dhclient[24646]: DHCPREQUEST on em0 to 172.21.248.42 port 67
filter.log
Nov 24 16:07:06 pfsense pf: 079260 rule 56/0(match): block in on em0: xx.224.148.26.4806 > xx.224.220.yy.5900: S 2505059968:2505059968(0) win 53760 <mss 1460,nop,wscale="" 3,[|tcp]="">Nov 24 16:07:12 pfsense pf: 6\. 315120 rule 21/0(match): block in on em0: 10.244.131.145 > 224.0.0.1: igmp query v2 Nov 24 16:07:33 pfsense pf: 20\. 800644 rule 56/0(match): block in on em0: xx.224.132.138.3911 > xx.224.220.yy.6129: S 3767522767:3767522767(0) win 64240 <mss 1460,nop,nop,sackok="">Nov 24 16:08:04 pfsense pf: 30\. 780613 rule 56/0(match): block in on em0: 130.115.120.81.30504 > xx.224.220.yy.1026: UDP, length 488 Nov 24 16:08:21 pfsense pf: 17\. 251424 rule 56/0(match): block in on em0: xx.224.189.107.1229 > xx.224.220.yy.1433: S 17473609:17473609(0) win 64240 <mss 1460,nop,nop,sackok="">Nov 24 16:08:24 pfsense pf: 2\. 989892 rule 56/0(match): block in on em0: xx.224.189.107.1229 > xx.224.220.yy.1433: S 17473609:17473609(0) win 64240 <mss 1460,nop,nop,sackok="">Nov 24 16:08:37 pfsense pf: 13\. 077269 rule 56/0(match): block in on em0: xx.224.221.60.4293 > xx.224.220.yy.139: S 4064406984:4064406984(0) win 64240 <mss 1460,nop,nop,sackok="">Nov 24 16:09:11 pfsense pf: 33\. 767767 rule 56/0(match): block in on em0: xx.224.222.197.3821 > xx.224.220.yy.445: S 4222053908:4222053908(0) win 53760 <mss 1460,nop,wscale="" 3,[|tcp]="">Nov 24 16:09:13 pfsense pf: 1\. 942637 rule 56/0(match): block in on em0: xx.224.222.197.3821 > xx.224.220.yy.445: S 4222053908:4222053908(0) win 53760 <mss 1460,nop,wscale="" 3,[|tcp]="">Nov 24 16:09:16 pfsense pf: 3\. 011120 rule 21/0(match): block in on em0: 10.244.131.145 > 224.0.0.1: igmp query v2</mss></mss></mss></mss></mss></mss></mss>
And then the logging stops.
Anything else I can supply or do to help any further investigations?