Firewall is logging when shouldnt?
-
Ok I have a nat for torrents, firewall rule is linked to nat but it clearly is not set to log. Yet my log file is full of these??
-
These logs are caused by a rule on the LAN interface and not the WAN.
-
how is that, I don't have any logging set on lan rules
-
If you move the cursor over the > on the left side you will get a hover-text telling you which rule is responsible for the log-entry.
-
well you have to click on it, otherwise just says pass.
But not sure what this means?
Ok took a look at filter logs from console as well
00:00:02.289727 rule 39/0(match): pass out on re0: 93.232.6.1.65063 > 192.168.1.4.42312: tcp 40 [bad hdr length 0 - too short, < 20]
00:00:01.832133 rule 39/0(match): pass out on re0: 202.7.222.113.59058 > 192.168.1.4.42312: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:02.489679 rule 39/0(match): pass out on re0: 71.128.255.121.63929 > 192.168.1.4.42312: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:04.113039 rule 39/0(match): pass out on re0: 86.151.127.253.58424 > 192.168.1.4.42312: tcp 32 [bad hdr length 0 - too short, < 20]
00:00:01.625774 rule 39/0(match): pass out on re0: 193.91.174.51.1136 > 192.168.1.4.42312: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:00.622629 rule 39/0(match): pass out on re0: 201.124.3.70.57183 > 192.168.1.4.42312: tcp 44 [bad hdr length 0 - too short, < 20]
00:00:04.362462 rule 39/0(match): pass out on re0: 84.87.125.42.59876 > 192.168.1.4.42312: tcp 28 [bad hdr length 0 - too short, < 20]bad hdr length too short??
-
anyone have any ideas, why is it logging this.. I don't have any rules to log on the lan, how can I modify this rule 39 to not log? why is it logging if its passing the traffic?
I had setup syslog awhile back, and syslog went back to 8/9 like 8:17 in the morning - and then started seeing this traffic at 9:30 something so not sure if maybe a commit I did later that morning that changed it, or maybe something else. But it clearly was sending lots and lots of hits to my syslog, which I have turned off until I figure out what is causing this logging and how to turn it off.
Thanks!
edit: ok I removed the nat and this removed the firewall rule. I then recreated it, and still logging on the lan interface this pass traffic on the lan?
edit2: ok it seems to be this rule in /tmp/rules.debug
under # webConfigurator lockout
pass out log quick on { re0 } proto tcp from any to any flags any keep state(sloppy)
what is the point of that rule? And why should it be logged?
edit3: ok that rules can not be right, its logging all port forwards it seems like.. Just did a port check to my ssh server inside, and it logged that
pass
Sep 14 11:25:37 LAN 85.17.185.51:44765 192.168.1.7:22 TCP:SI do not have logging of this traffic setup, so something is wrong.
-
Could this also apply to you?
http://doc.pfsense.com/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
-
I don't believe so, since its passed traffic and syn is set. Not fully sure what state sloopy is though? Is logging traffic that there is something wrong with?
I am pretty sure I figured out the rule that is logging it, but why is that rule under the webconfig lockout section, what specifically is it suppose to allow or prevent, and why is an allow logged?
-
ok looks like I found out what was going on, seems it was a rule left over from captive portal that I was playing with, and then uncheck to enable, so setting were still there but not enabled.
Seems this portion of filter.inc was creating the rules.
/* if captive portal is enabled, ensure that access to this port * is allowed on a locked down interface */ if(is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpcfg) { $cpinterfaces = explode(",", $cpcfg['interface']); $cpiflist = array(); $cpiplist = array(); foreach ($cpinterfaces as $cpifgrp) { if(!isset($FilterIflist[$cpifgrp])) continue; $tmpif = get_real_interface($cpifgrp); if(!empty($tmpif)) { $cpiflist[] = "{$tmpif}"; $cpipm = get_interface_ip($cpifgrp); if(is_ipaddr($cpipm)) { $carpif = link_ip_to_carp_interface($cpipm); if (!empty($carpif)) { $cpiflist[] = $carpif; $carpsif = explode(" ", $carpif); foreach ($carpsif as $cpcarp) { $carpip = find_interface_ip($cpcarp); if (is_ipaddr($carpip)) $cpiplist[] = $carpip; } } $cpiplist[] = $cpipm; } } } if (count($cpiplist) > 0 && count($cpiflist) > 0) { $cpinterface = implode(" ", $cpiflist); $cpaddresses = implode(" ", $cpiplist); $portalias = $cpcfg['zoneid'] + 1; $portalias .= " {$cpcfg['zoneid']}"; $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } keep state(sloppy)\n"; $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n"; } } }
this was the rule that was setup
$ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n";
But I did not have captive portal enabled – I had create it in the passed and then unchecked it from being enabled.. But seems the rules were not deleted? I removed it, and then rebooted and how that rule is no longer there and not logging that traffic ;)
I can try and duplicate it to see if can regenerate the issue.