Firewall logging



  • Hi, new to pfSense and have a logging question. I am basically trying to follow who's doing what. Sometimes in the firewall log I see a LAN entry from a specific IP and its external destination, then I see the corresponding entry for the WAN interface going to the same destination and port. This is what I would expect, but that's not always the case. Obviously if its blocked I wouldn't expect to see anything on the WAN interface and I am sure pfSense has some traffic of its own. My concern is when I see WAN entries as the source (allowed) going to external IPs with no corresponding LAN entries. What are they and where are they from?

    Am I missing something or should there be a one for one entry when a machine on my network makes an external connection, one for the LAN interface and the WAN interface?

    Thanks


  • Rebel Alliance Global Moderator

    what are you logging.. Out of the box pfsense does not log any traffic outbound from the lan.  Nor would it log any outbound connections from the wan.

    Pfsense itself checks if there is new version, packages, etc.  So its quite possible traffic you are seeing could be from pfsense itself.

    Would need to understand what logging you setup and what your seeing exactly to discuss in more detail.



  • Thanks for the info. I have the default rule to log traffic so I can see as much as possible. I actually think a lot of it is pfSense itself. I see a lot of port 53. It seems that there is usually a large chunk of WAN entries at the same time. Going through the logs just to make sure I understand how things work. I have not had this level of granularity before. Just newness I guess.

    Thanks again for the help


  • Banned

    If your network is small enough try assigning static IPs and group them into aliases as necessary.
    You can also write aliases for ports as necessary.

    Basically,  try writing more specific rules to keep track of the stuff you want to know.  As you have seen,  logging everything is may more noise than useful information.


  • Rebel Alliance Global Moderator

    setting the default rule to log would not log what is going out the wan.. It would just log what hits the pfsense LAN and if allowed or blocked with source and destination..

    Yes there is going to be lots of dns requests (53) when you surf or even go to 1 site..

    Out of the box pfsense uses a resolver (unbound).. So when some client behind pfsense asks pfsense dns for www.google.com and it has not already been cached.. The resolver (pfsense itself) walks down the tree from roots..

    Hey root nameserver what is the ns for .com
    Hey .com ns what is the ns for google.com
    Hey google.com ns what is the IP address of www.google.com

    Now think about when you hit some typical website how many domains are used on it.. And then walking down the tree for all those fqdn..  Keep in mind that this is only the first time, after something has been looked up it will be cached for the length of the ttl of that record.

    So yeah normal traffic is going to create a bit of dns traffic out the wan from the pfsense wan IP and will not show in your state table with a internal IP that created it.

    edit:  Modified wording to reflect what I meant to say ;)  See next 2 posts..



  • @johnpoz:

    So yeah normal traffic is going to create a bit of dns traffic out the wan from the pfsense wan IP and will not show in your state table.

    What??? Unless you mean something very different than what I'm thinking you mean you're very wrong here. Any traffic going out via the WAN is going to create a state because that's what PF does unless you explicitly tell it not to create a state for matched traffic with "no state". Even if the default policy rule of allowing outgoing traffic is not directly shown there is still a rule that matches that traffic and that rule uses "keep state", for example from my system /tmp/rules.debug:

    
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out  inet all keep state allow-opts tracker 1000004765 label "let out anything IPv4 from firewall host itself"
    
    

  • Rebel Alliance Global Moderator

    @kpa, you are correct it would be in the state table

    What I meant is it won't show in in his state table with a source IP from the device on the inside.. Since the traffic would be generated by pfsense itself..  Bad wording on my part!  Thanks for calling me on it…

    So for example here is state created by my internal box going out to the internet
    24.13.publicIP:41202 (192.168.9.100:59308) -> 40.127.97.225:80

    While this is created by the firewall
    24.13.publicIP:56717 -> 162.208.119.40:443

    Which is a connection to files.pfsense.org

    I should of worded that more clear - thanks!