[SOLVED] Deny inbound but only log for open ports, possible?

iorx

I have a wage idea how to do this but will ask here if there is a recommended or already built in way to do it. Can't figure it all out honestly.

I've got a couple of port open for OpenVPN server and some more. Also UPNP is active to open needed ports.

So, is there a smart / good way to accomplish incomming WAN logging so only incoming to open ports are logged?

BTW, awesome package!

Brgs,

BBcan177

Thanks!

Take a look at the Advanced In/Outbound rule settings in the IPv4/6/GeoIP tabs that will allow fine tuning of the rules…

iorx

I'm currently only working with the IP4 lists.

Checked out the Advanced section again. The lists got "deny both" so to my understanding of the advanced section, defining ports here will also act on outgoing traffic. Do I understand this section correctly?

I've read up a little bit now and see a couple of solutions.

Only let pfblockerng generate the alias and manually create rules using those alias. Custom rule for where I log open WAN ports and silently ignore everything else.

Or, Create multiple lists (identical) and define the policy for logging incoming and outgoing. Then a manual rule for logging the open WAN ports.

Or (some thing maybe you implement  ;) ), is it possible to extend the option on logging for the lists? Say the option "disabled", "log inbound", "log outbound", "log both inbound and outbound". And to get where I want, I create a special-special rule for logging all open WAN ports manually.

Logging the UPNP ports are still a unresolved part. I'll thinker away and see what I can come up with.

Not that i matters, but, using floating rules.

Brgs,

BBcan177

Yes there are so many ways to skin the cat so to speak. Just depends what your comfortable with. I tried to give as many options as possible. Your feature request about selective logging is a great idea. I will try to add that to the next version.

When you select "Deny Both". You can fine tune the inbound and the outbound by using network and port aliases to define what to do for the inbound independently of the outbound.

Alternatively. Just use Alias type and manually create the rules as required.

All valid methods.

iorx

Power full tools give birth to creative and often different solution to the same task. So, kudos to this extremely power full tool!
I'll throw this around and test it from different angles and see which makes most sense.
And keeping a lookout for next version if the logging feature for outbound/inbound finds its way in there. I believe that maybe the most user friendly way to fix the I don't want WAN logging for closed ports …

Brgs,

BBcan177

@iorx:

I believe that maybe the most user friendly way to fix the _I don't want WAN logging for closed ports

You can accomplish this now with "Deny Both". In the Adv Inbound rule settings define a port alias of the open WAN ports. Then add that to the ports setting. You can also be more selective and define a network alias of which IPs to apply the rule to.

Then in the Adv Outbound you can leave it blank and it will block and log all outbound. Alternatively you could define ports and network aliases for the outbound._

iorx

@BBcan177:

When you select "Deny Both". You can fine tune the inbound and the outbound by using network and port aliases to define what to do for the inbound independently of the outbound.

Another reply. I'm Captain Slow some times.
Now I saw that it was both for outbound and inbound under advanced (I promise I look more than once before… but only saw one and though it was combined).
This will do for static ports. An alias definition of all my inbound port here will log just inbound WAN traffic for just them.

iorx

Follow up:

Works like a charm!

For the lists: Deny on both inbound and outbound, and logging enabled.
Advanced inbound: UDP/TCP and a port definition alias which contains my open WAN ports. Also added the most common ports and ranges which UPNP opens for devices on the inside.

Result is a very tidy firewall and alert log with kept logging for all outbound traffic trying to connect to nasty stuff and logging for anything trying to reach my open WAN ports.

So, mission complete.
Brgs,