Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit logging per source IP?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 583 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rmaederR Offline
      rmaeder
      last edited by

      Is there a way to limit logging to one entry per x seconds per source IP per rule?
      Port scanners and ssh brute forcing attempt also fill up log files.
      By limiting to one entry per source IP, one would still obtain the most useful information about who attacks us, but not fill the log files with pointless repetitions, that make it difficult to spot important entries.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        No because they are all different in some way, pf doesn't have any mechanism to collapse them.

        It only logs the first packet of a connection when set to log, but for block rules a connection is never established, so every packet is blocked.

        If you send logs to a syslog server, whatever you have managing your logs there may be able to squash or summarize the entries in some way, but that's outside the scope of the firewall.

        Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • rmaederR Offline
          rmaeder
          last edited by

          @jimp:

          No because they are all different in some way, pf doesn't have any mechanism to collapse them.

          It only logs the first packet of a connection when set to log, but for block rules a connection is never established, so every packet is blocked.

          But Isn't the "max src. conn. rate" something similar? It seems to be able to keep count on the number of connection attempts from a source, and this could presumably also be used for counting log entries. With iptables I would use the recent module to count how often a rule is hit (per source).
          The problem is that repeated log entries fill up what little space there is, for example in the Firewall Logs widget, and so more important lines quickly scroll off the screen.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            No, because that only applies to pass rules, which already only log the first entry.

            That sets a state/rate limit for connections passed by a rule. After that limit they are blocked (and logged…)

            Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • rmaederR Offline
              rmaeder
              last edited by

              @jimp:

              No, because that only applies to pass rules, which already only log the first entry.

              That sets a state/rate limit for connections passed by a rule. After that limit they are blocked (and logged…)

              Subtle, but I see the point (I think).

              Making rules more complicated to limit logging is probably not advised, anyway.
              The task of limiting/filtering could equally well be done by the viewers.
              If the Log widget or Status/SystemLogs had a way to collapse adjacent similar entries in the listings that would be sufficient.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.