Firewall rule logging



  • Hello,
    I have set logging in a firewall rule in lan network that logs everything, in my remote system log I see every packet that passes through the router…But I don't understand something: when there is a download or upload of a file in lan shouldn't I receive so many entry in system log? Why I don't receive nothing? I miss something in configuration log?



  • Hi.

    You're only logging traffic leaving the firewalls Lan interface. You can't log traffic inside your Lan on the firewall.



  • But any download or upload don't pass through firewall LAN interface?



  • Traffic from PC1 to PC2 will not be logged since it doesn't hit the firewalls interface.

    Traffic from PC1 to PC3 will be logged since it leaves the "LAN" interface on the firewall to reach PC3

    The way i read your questions is that you don't understand why you don't see anything in the log when you're downloading/uploading files internally in your LAN



  • No, I don't mean internal lan… I mean if a PC download or upload a file from internet I don't see anything in log
    Thanks for your explanation, I mean traffic from PC 1 to PC 3 isn't logged for traffic for download or upload files...

    Edit:
    maybe I explain myself better with this example:

    Taking your diagarm network topology as reference, if PC1 sends 100 icmp packets to PC3, firewall log show me only 1 icmp packet.

    There is a way to show all 100 icmp packets on log?



  • @ninoalcamo:

    No, I don't mean internal lan… I mean if a PC download or upload a file from internet I don't see anything in log
    Thanks for your explanation, I mean traffic from PC 1 to PC 3 isn't logged for traffic for download or upload files...

    Edit:
    maybe I explain myself better with this example:

    Taking your diagarm network topology as reference, if PC1 sends 100 icmp packets to PC3, firewall log show me only 1 icmp packet.

    There is a way to show all 100 icmp packets on log?

    oh that's a good question. I'm not that familiar with pfSense, but my bet would be that all hits on a rule should be logged.


  • Rebel Alliance Global Moderator

    "if PC1 sends 100 icmp packets to PC3, firewall log show me only 1 icmp packet."

    Why would it log it 100 times?  It creates a state and until that state is closed its all in the 1 log entry.

    What your asking is to log every single packet - that would be a very very bad idea…



  • PF does have an option for that, log(all). It's not exposed in the pfSense GUI in any way as far as I know and  in case you want to to sniff traffic you're much better off with packet capture or using tcpdump directly.


  • Rebel Alliance Global Moderator

    Would be very resource intensive to log every packet.. Would not recommend it at all.. As mentioned if you need to look at traffic sniff.



  • Thanks for explation