@5 block drop in log inet all label "Default deny rule IPv4"

osa14522

This is with regards to following post, and I believe the answer is here. In short: firewall rules trigger logging of normal, harmless disconnects, often happening with android phones.

My question is: how to mute these "harmless" entries? The issue I have with them is that I have quite a few android phones which do that all the time. I am trying to monitor logs for actually blocked malware/spyware/hacking attempts. The deluge of these entries obfuscate the stuff that I actually want logged (e.g.: traffic from/to blacklisted IPs).

Anyone knows?..

jimp

Add a rule to pass or block them, set for TCP, and in the advanced options, set TCP Flags to 'any'.

mudmanc4

ISP had some 'issues' in the last 24 hours. Now that the obvious is righted, when using openvpn tunnel through pfsense, everything (all webpage loads) are drastically higher latency, 15-30 second page loads.

Initial observations is the firewall is now blocking a good percentage of UDP traffic over the vpn.

Which happen to be my local IP

With the log stating:

Aug 16 12:16:08 	filterlog: 9,16777216,,1000000103,em0,match,block,in,4,0x0,,54,49357,0,DF,17,udp,61,{My-Local-IP},{VPN-server-IP},29363,53,41

I have my tin foil hat on here, considering, could the ISP be adding something to packets causing the trigger? Obviously not all VPN traffic is blocked, but enough to cause significant usability issues.

EDIT: Arrhhg, I had the gateway IP set in the VPN config locally, why I can't say. But I just changed it yesterday before the issues began with the ISP (completely unrelated issue). Always great to get things sorted after you break something just before something else breaks Oo

KOM

ISP had some 'issues' in the last 24 hours. Now that the obvious is righted

What does any of this have to do with OP's log question??

mudmanc4

@KOM:

ISP had some 'issues' in the last 24 hours. Now that the obvious is righted

What does any of this have to do with OP's log question??

The log I posted is the detailed view to :

block drop in log inet all label "Default deny rule IPv4"
```  ;)

Aside this, the complete post should explain any further questions as to why it was posted in this thread.

mudmanc4

Actually this is why I am against muting log entries.

I was getting the very same entries puking up the logs, if not for those undesirable logs, it may have taken me much longer to track down the issue. As many times logs can be triggered for various reasons, not necessarily what they were initially intended for.

Aswell, I'm not sure exactly why having the gateway IP in the local VPN 'server' field would have caused this block, none the less.

mudmanc4

I have a 'better' answer for your question; since I think in the abstract when there is an issue, and residential ISP's are known for toying even blocking VPN's, and the tech literally just left within the 1/2 hour before I noticed packet loss, I was open to the ISP possibly causing the rule to trigger over {who knows what} packet sniffing.

/