RRD shows high number of blocked packets, but logs do not.
-
Hey guys,
Try to get to the bottom of a problem. The packet graphs show we're blocking quite a few packets, but our logs do not show what they are. How do I figure out what is going on?
If you look at the attachment, it says we're blocking 1000/sec. If I look at my firewall block logs, I have 85 entries. What gives?
 -
Have you tried looking at your logs to see what's being blocked?
-
That's exactly the problem… RRD shows I'm blocking 1000 packets / second but my logs are showing very little activity. I'm trying to figure out what is being blocked, but it's not in my logs.
-
Then you must have a rule that is blocking but not logging.
-
So I only had three rules that would have qualified, and I disabled them all.
Still seeing the traffic and not seeing the logs…
-
How do you know its blocked packets?
I cant seem to find the setting that shows blocked packets.
@j@svg:
That's exactly the problem… RRD shows I'm blocking 1000 packets / second but my logs are showing very little activity. I'm trying to figure out what is being blocked, but it's not in my logs.
-
The RRD PPS graph he posted shows blocked PPS of near 1k/s, the light red color.
-
Did you disable logging on the default rules? Status>System logs, Settings tab.
-
Log packets matched from the default block rules put in the ruleset
Hint: packets that are blocked by the implicit default block rule will not be logged if you uncheck this option. Per-rule logging options are still respected.That option -is- checked.
On my syslog settings, I have firewall rules -not- sent to syslog, so I disabled syslog completely. No dice :/
-
I'm an idiot, I just re-read that carefully. Let me try it…
-
Nope, doesn't make a difference. argh
-
So you have no firewall logs at all then? Sounds like you've disabled all logging, or at least logging of default block and other rules. Turn on local logging again, and make sure default blocks are all logging.