Logging Issues

SergeCaron

Version : 2.3.2-RELEASE (amd64)  built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5

Logging issues:

1)      I have an interface dedicated to monitoring equipment on the LAN interface protected by pfSense.
There are exactly two firewall rules:
                              Protocol              Source  Port      Destination        Port      Gateway            Queue              Schedule            Description        Actions

Pass      IPv4 ICMP          *            *            *                          *            *            none                    ICMP monitoring trafic only
              Block    IPv4+6 *              *            *            *                            *            *            none                      Dismiss all other traffic

The objective is to avoid loading the pfSense logs with gibberish from the monitoring network.
              Unless I clear the “Log packets matched from the default block rules in the ruleset” check box in “Status / System Logs / Settings”,  the logs are full of entries such as:

Block    Oct 4 14:59:29  ADMINISTRATION          [fe80::225:90ff:fecd:9428]:546                [ff02::1:2]:547  UDP

The second rule should drop everything: why I am still seeing this clutter in the logs.

2)      I have an IPSEC interface with the following pass all rule:

Protocol              Source  Port      Destination        Port      Gateway              Queue  Schedule            Description        Actions

Pass&Log            IPv4 *                  *            *            *                          *            *            none                      Pass all IPSEC traffic.

While I would expect all packets logged, I get EXACTLY one entry per L2TP session:

Pass      Oct 4 15:36:37  IPsec    “SOURCE”:63617            “WAN ADDRESS”:1701  UDP

This is great to verify that L2TP logging is working but I don’t understand that a single packet is being logged. Can someone explain?

3)      I have an L2TP interface with the following pass all rule:

Protocol              Source  Port      Destination        Port      Gateway              Queue  Schedule            Description        Actions

Pass&Log            IPv4 *                  *            *            *                          *            *            none                      Pass all L2TP traffic.

Nothing ever gets logged! I can ping any host or nmap the entire LAN segment, nothing is ever logged. Can someone explain?

4)      I have the following two rules at the beginning of the ruleset for the LAN interface:

Protocol              Source  Port      Destination        Port      Gateway            Queue      Schedule            Description        Actions

Pass&Log    IPv4 *                  *            *            192.168.110.0/24            *            *            none              Test
Pass&Log    IPv4 *                  192.168.110.0/24            *            *            *            *            none              Test

Where the L2TP gateway is at 192.168.110.1 and the L2TP clients are in the subnet 192.168.110.128/25.

Nothing ever gets logged, although each live host respond to pings.

So, I am a bit at a loss to debug this L2TP/IPSEC installation. I can see that my test user logs in and out, that ICMP is working properly, but I cannot confirm that packets are actually routing or NATing in this setup.

Is there a fix for this logging issue?

Kind regards,

johnpoz

Would be so much easier to read with some pics..

But with 4) So your lan network is what exactly?  Those rules make no sense.  Why do you have a rule for dest network, and then another rule with that same network is the source.  What is the network on your lan??  I if your l2tp clients are /25 why are the rules /24?

Rules are evaluated top down inbound into the interface, first rule to trigger wins - rest of the rules are not evaluated once a rule fires.  So when would traffic be dest to this 192.168.110 network how would that ever be source into the interface??

So your logging a udp packet - do you think it should log ever single packet??  Log would be useless..  Just flooded…

SergeCaron

Thank you for your reply.

The rules in 4) are designed to catch anything going to the default L2TP gateway which must be outside the client range: that made it /24 to keep everything in a single subnet.

As for the offending direction issue, the idea was to catch anything and everything coming in this interface with this IPv4 address range.

As for logging, if it doesn't log everything that satisfy the rule, there is an issue. This is my concern at this time.

Regards,

SergeCaron

In this L2TP/IPSEC setup, the firewall rules in the interface tab do not seem to apply because of the underlying "incoming" assumption.

To log traffic from L2TP clients, I created a "pass all" FLOATING rule, interface L2TP/IPSEC, direction outgoing, all IPv4 protocols, TCP flags any, sloppy state.

That should take  care of it, but TCP traffic is simply dropped. So I added a second rule specifically for TCP traffic. The rules are:

Pass&Log            IPv4 *                  *            *            *            *            *            none                    Secret Rule
Pass&Log            IPv4 TCP              *            *            *            *            *            none                    Redundant Secret Rule

In summary:

• the IPSEC interface will only log the first packet of the L2TP exchange
• all the rules applying to L2TP clients seem to be enforced only in the out direction and must be enforced with a floating rule
• it is not possible to drop a specific interface from the logs using an explicit block all rule.

If anybody can enlighten me, I would  be grateful.

Regards,