Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Filter logs showing traffic that doesn't make sense

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 259 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dnxD Offline
      dnx
      last edited by dnx

      I'm starting to get very confused about my ruleset. It looks like traffic is not matching rules that it should, or is logging weirdly. And now I wonder if I'm just not understanding some fundamentals.

      Looking in this example at a specific LAN host (172.16.0.195) talking out to an internet host (172.104.93.253) - a daily Nessus scan. FYI my WAN address is 150.101.221.210, and the 10.20.22.216 is apparently my gateway (I'm on FTTN so I assume this comes from the ISP CPE).

      In the logs I have 10's of thousands of passed outbound packets, all matching rule 55 on pppoe0. I've checked WAN and LAN rulesets and there is no 55, but on the command line I can see it.

      out_1.png

      @55(1000003811) pass out log route-to (pppoe0 10.20.22.216) inet from 150.101.221.210 to ! 150.101.221.210 flags S/SA keep state allow-opts label "let out anything from firewall host itself"

      I've tried creating rules on both WAN and LAN to match and log (initially to not log was the intent but have turned on logging to see in any match), but these out logs are confusing.

      If I look at IN logs, I do see the logs matching a rule on LAN. So that bit makes sense I guess, but these out logs confuse me a lot.

      I wonder if it's because of the DF flag in this traffic? But if so, why? And why is the traffic logged with the WAN interface rather than only having the LAN address?

      My ruleset looks like a mess now as I was trying all sorts of things out, but here are some screenshots.

      out_wan.png out_lan.png

      Would really appreciate some insight.

      1 Reply Last reply Reply Quote 0
      • kiokomanK Offline
        kiokoman LAYER 8
        last edited by

        @55 is the id assigned to the rule
        to get those rule numbers you need to run "pfctl -vvsr" from the shell or Diagnostics > Command.

        if you click the action icon on a log entry, it shows you the corresponding rule.
        that said you have a rule with label "let out anything from firewall host itself" somewhere that match that traffic

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • dnxD Offline
          dnx
          last edited by

          I'm pretty sure that rule 55 - "let out anything from firewall host itself" is a default rule, I see plenty of references to this rule on the forums and it looks like it's related to outbound NAT. Most likely the second of these:

          nat.png

          Thinking about it again also, for the LAN rule that is matching, why does that get logged as IN, as isn't it OUT traffic? I understand it's IN from the LAN, but the traffic itself is heading to that internet host, so, that's confusing I suppose.

          1 Reply Last reply Reply Quote 0
          • dnxD Offline
            dnx
            last edited by

            II worked it out. I had to add a Floating rule of Pass - src 'this firewall' - dst Internet Host IP - Quick - No Log.

            That seems to make sense given NAT.

            I understand things being matched as IN now also, all interface rules are IN.

            Although I'm still a little confused as to how I can have that floating rule only match if the traffic originated from the one specific LAN port (or if that's even useful) - and it seems it's default to log on the default rule, which means you kinda get double logs if it already matches on interface specific rules.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.