LAN: Default Deny IPv4 - Log Question - Out of state?



  • Is the LAN to WAN traffic on the attached screenshot out of state?    How would I know it is out of state if it is?

    My understanding is if a packet was initiated on the LAN side the packet would PASS out to the destination address and then the state table would allow the response to be routed to the appropriate source.

    ![Screen Shot 2016-06-27 at 7.59.39 AM.png](/public/imported_attachments/1/Screen Shot 2016-06-27 at 7.59.39 AM.png)
    ![Screen Shot 2016-06-27 at 7.59.39 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-06-27 at 7.59.39 AM.png_thumb)


  • LAYER 8 Global Moderator

    Those are not syn packets, they point to an out of state condition..  Looks like its your echo, which is wireless.  Wireless can have issues with out of states, etc.

    Other then log noise they are normally not a problem since device will just create a new connection that would be allowed.

    if you do not like the log noise for devices that create these a lot like cell phones are notorious.. You can turn off default logging and create your own log rule that only logs blocked syn.



  • Do I turn off default logging in log settings "Log Firewall Default Blocks"?


  • LAYER 8 Global Moderator

    yes you would turn off the logging of the default rule, and then create your own block rule at the end that only logs syn packets.  I do not log udp noise either.  So for example here is the rule I have setup on my wan, it only logs syn packets that are blocked.

    This does not allow anything extra, it just doesn't log all the noise that it is being blocked as well.

    You can get as fancy as you want in what you block and log.  The default block is still there, so stuff that is not explicitly allowed is still blocked, your just not logging it all.  Just log the stuff you want to see in your logs.

    So for example I have included my wan rules, where I block some lists from pfblocker before they even get to my forwards.  But only log the tcp syn stuff, since I run ntp to the ntp pool, but I really don't want all the countries outside of NA that shouldn't be using my ntp anyway, that is blocked in the udp block but not logged..

    Again you can get as granular or broad as you want.  The default log of blocked is very very broad stroke logging everything it blocks which can depending on your network be very noisy..  If your troubleshooting something you can always just turn that back on, etc.  And it will then log anything your explicit block/log doesn't list.






  • Hi John,

    Thank you for you willingness to help.  It may take me some time to wrap my head around this, so please bear with me!

    I get that you have opened a port to an ntp server on the WAN interface and you use pfBlockerNG to keep non-North American countries from accessing it.  So you created two pfBlockerNG lists, one TCP that logs, and a UDP version that does not log.  By having two, you have control over which blocked protocol logs.

    @johnpoz:

    But only log the tcp syn stuff

    Did you choose to log TCP SYN because these are genuine connection attempts?  I guess I don't understand what this feedback gives you in the log and how you use it.    Is it verification the rule blocks are actually working (without the extra noise)?

    So for my little home network, I have decided to stop being open on the WAN and remove port forwards to pfSense SSH and webgui.  My IP camera ports are going to be closed too.  I understand I will be much safer if I just use openVPN to access the network when out of home.  So with no open ports, I think my WAN side is as secure as I can make it.  pfSense automatically blocks all incoming packets unless I do something ill advised, like opening ports unecessarily.

    The reason I have been scanning the logs is to see what my LAN devices are up to.  This helped me to identify odd outbound traffic from my foscam cameras and my qnap nas to china and shut the causes down.  So to remove the noise from my logs and be able to monitor activity, I would need to setup a LAN pass rule and then only log TCP SYN traffic?  That would allow me to see what my LAN devices are up to in the logs.    Or could I just add TCP SYN logging to the default allow rule?

    Again, thank you for taking the time to help me out!

    Jerold


  • LAYER 8 Global Moderator

    To be honest just log to see what is they are trying to do ;)  Lots of hits on 22, 23, 3389, etc. Those are very common.  No real reason to log, guess its nice to see something in there every now and then as sure verification its blocking and logging.

    I only block tcp syn because yes those are actual attempts and connection.

    Good idea to stop forwards, I only forward ntp since its a hobby of mine and like to support the effort of ntp servers.  Other forwards is for my dvr, not sure if even needed.  But they call for those ports to be open inbound.  Could look at log to see if ever used.

    I do the same thing anything I want to access on my network I just vpn in..  I do that from work almost every single day.

    If what your looking to do is watch what your lan stuff is doing.. You could just start creating rules that block what you don't want to see in your logs..  So what rule did you create on your lan that is causing you log entries the default on the lan is any any so there really should be no blocks.

    So you put in a deny on your lan, and then allow rules for specific traffic above it - post up your lan rules and we can take a look see.


Log in to reply