Remote syslog

Hugovsky

I'm seeing this in my remote syslog server since upgrade to 2.2:

FILTERLOG : 148,16777216,,100000101,em0_vlan3,ip-option,pass,in,4,0x0,,1,43293,0,none,2,igmp,32,192.168.50.31,224.0.0.252,datalength=8

any ideas? it seems a default rule logging but I've disabled it in settings. However, it's only igmp.

cmb

That's the ID of the default LAN rule, you have logging enabled on the default LAN rule it appears?

Hugovsky

I don't. I've tryed enabling and disabling the check mark for the default rule. Didn't work. I have pfblockerng and snort installed. Maybe one package changed something?

cmb

what does:

grep 100000101 /tmp/rules.debug

show?

Hugovsky

root: grep 100000101 /tmp/rules.debug 
pass  in  quick  on $LAN inet proto tcp  from 192.168.50.0/24  to <negate_networks>  port $outgoing_ports tracker 0100000101 flags S/SA keep state  dnqueue( 1,2)  label "NEGATE_ROUTE: Negate policy routing for destination"
pass  in  quick  on $LAN  $GWGW_failover inet proto tcp  from 192.168.50.0/24 to any port $outgoing_ports tracker 0100000101 flags S/SA keep state  dnqueue( 1,2)  label "USER_RULE: Default allow LAN -> internet to any rule"</negate_networks>

Hugovsky

Well, seems like when you're sick and go to a doctor and all you're diseases go away… I have this problem since 24+- jan. Decided to post it and it goes away.. nice. I've changed a few rules and aliases and I have never since saw this on the logs again. I have 200+ pages of this error in observium. It stopped now. Is there anything I can do to help diagnose? I have backups of previous configs. I can try to revert to check. Do you think it's worth it?

cmb

Do you see any other logs with that same tracker ID?

It might have been logging things with IP options set for some reason, though can't say I've ever seen or heard of that.

Hugovsky

I think I've found the problem. I only get those if I enable logging in pfBlockerNG. Either individual list or in global in general tab.

Hugovsky

Maybe something about the way the package logs? Should I post in pfBlockerNG thread?

phil.davis

I was looking into Firewall Log GUI issues a few weeks ago and it was an issue with IGMP packets not being parsed and displayed on the GUI:
Firewall Log does not display logged IGMP packets
https://github.com/pfsense/pfsense/pull/1456
https://forum.pfsense.org/index.php?topic=87723.0

At that time I noticed that IGMP packets seemed to always come in the logs, even if a matching rule had logging off. The rule could be pass or block. I never got back to really test and see exactly what combination was the cause.

I will have a look again now and see if I can reproduce it…

phil.davis

Here is an example of an IGMP packet being logged against a pass rule with no logging on.
In my LAN rules I have a pass rule from LANnet to everywhere that is not "INF_subnets" (not the company intranet) and sending it to gateway group Balanced_Traffic. (see screenshot)
Then pass anything else from LANnet straight to the routing table (should be company intranet traffic)
Then block and log everything else (should not be anything else to see).

In /tmp/rules.debug this has:

pass  in  quick  on $LAN  $GWBalanced_Traffic inet from 10.49.80.0/22 to ! $INF_subnets tracker 1418272799 keep state  label "USER_RULE: Send other LAN traffic to WiMax first"
pass  in  quick  on $LAN inet from 10.49.80.0/22 to any tracker 1418272800 keep state  label "USER_RULE: Default allow LAN to any rule"
block  in log  quick  on $LAN inet from any to any tracker 1418272801  label "USER_RULE: Block and log anything else not from LAN net"

But IGMP packets passed by rule 1418272799 appear in the firewall log - I can see them in text form with:

clog /var/log/filter.log | grep igmp

and after applying this commit to fix display of IGMP in the firewall log GUI, https://github.com/pfsense/pfsense/commit/091195f09e627f575bb195006d255ad4e85dfef7 I can see them in the GUI, like the screenshot.

Seems like a bonus feature? :P

LAN-rules-end.png_thumb
IGMP-Firewall-Logs.png_thumb

Cino

I see them too :-( How can we make them stop? lol


Feb 10 11:24:57 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:24:57 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:25:02 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16041,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16042,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16043,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16044,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16047,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:51:48 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:48 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:51 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:51 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:54 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:45 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:48 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:49 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:49 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:51 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:27 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:27 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:29 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:29 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:34 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16

phil.davis

I see them too :-( How can we make them stop? lol

I raised a bug report: https://redmine.pfsense.org/issues/4383
I could not see where I could fix this in pfSense PHP code. I concluded that it is somewhere in "pf" in real compiled code from pfSense-tools, so I will let the devs get onto it in due course.
I'll resist using the compiler as long as I can find interpreted code bugs to fix ;)