Logging default deny and suppressing certain alerts in default deny
-
I have lately re-setup my pfsense server, then got caught up in the 2.4 upgrade cycle. Luckily 2.4 upgrade just worked!
Anyway - I like to log the default deny alerts in the firewall logs, then I can see any issues and fix rules if required. However, certain alerts once I have seen and don't care about I like to suppress. For example UDP on port 5353 keeps spamming the logs. I like to suppress logging of this if I can.
I tried a floating rule with a block and immediate match and not to log but the logs still have this. Is there a way of doing this?
Or do people have different 'workflow' ?
-
I have a "block all" at the end of my rules(at the bottom) with logging enabled…I have never tried what you are saying, but if I did I would try setting up a few rules just before my last "block all". In those rules I would turn logging "Off", those rules would consist of the logs I don't want to see...
i.e.
- All my rules
- "...certain alerts once I have seen and don't care about.." "block" rules with logging "Off"
- "block all" rule with logging "ON"
I would try using aliases in my rule #2 so my rules don't get too many…don't screw it up and make rule 2 or 3 "Allow"!
Just my 2 cents, open to feedback, alternatives and rude remarks from the community if my suggestion is wrong!
V