Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cleaning TCP: FA FPA RA logs. How to remove them from the logs?

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      XabiX
      last edited by

      Hello,

      This is a recurring post but after trying several solutions (conservative + reboot, create a pass rule to not log), I am not able to get rid of these flood. I know it doesn't hurt the traffic and the FW but it's just annoying.

      I created an explicitly rule to filter out those logs but it doesn't match for certain reason. Are they advanced options to check so I can filter out these packets?

      Merci
      Xavier

      https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

      FWlogs.jpg
      FWlogs.jpg_thumb
      tcpdump.jpg
      tcpdump.jpg_thumb
      FWrule.jpg
      FWrule.jpg_thumb
      FWalias.jpg
      FWalias.jpg_thumb

      Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
      Click on the Website (small planet) to see my network diagram

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        From you putting in a rule - its like you didn't read the link you posted too.. Those are out of state packets.. Your allow rule would not allow something that is out of state.

        If you do not want to see out of state logged then turn off default logging.  Then create a block rule at the end of your lan rules that logs but only when SYN..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          As a rule of thumb, not sure if there are any exceptions, the rules you specific in the UI only apples to newly created states. Packets that are out of state will never hit your manually created rules.

          1 Reply Last reply Reply Quote 0
          • X
            XabiX
            last edited by

            Thank you both for the answers. I will therefore remove this rule and yes I had that in mind but after different readings I ended up trying :) but I agree it doesn't make sense to have rule if we are speaking about out of the state messages.

            I may just do what johnpoz was proposing (turn off logging and activate it only for the SYN packets)

            Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
            Click on the Website (small planet) to see my network diagram

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              The default logging is only there for you to take note of the amount of noise there is among regular TCP/IP traffic and then turn it off and write your own rules for more precise logging. PfSense is slightly different compared to other firewall distributions that by default hide that noise to put the user's mind at ease.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                If you are seeing a huge amount of out of state traffic - this would either point to an asymmetrical routing issue, or borked client.. I have seen android phones generate quite a bit of out of state.. But it wasn't constant.. Would be sporadic at best.. not constant flood of noise.

                Seeing the out of state traffic can help you fix problems in your network.. I would suggest only turning off the default log rule if the out of state traffic is caused by some bad client and can not be fixed and the amount of noise is keeping you from seeing more interesting traffic your interested in.

                kpa is correct many firewalls do not log out of state traffic out of the box.. Shoot the usg 3p that I have had some recent experience with doesn't even have a simple way to view any firewall logs ;)  Be it a syn block or out of state block.. They just do not show you any thing blocked by the firewall unless you specifically go looking for it, or take the time to send it to a syslog so you can view it..

                But yes viewing everything can be sometimes overwhelming to new users watching the log.  Especially on the wan side - there is a shit ton of UDP noise that pretty much just noise if you ask me, which is why I only log tcp syn traffic.. Just interesting to see what ports are being attempted.. ssh, 1433, telnet, 3389 (rdp) and ftp are very very common bots and scripts looking for open shit they can try and access.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • X
                  XabiX
                  last edited by

                  Thank you all. I have added the attached rule and since then it's very quiet which I like :)

                  Can you confirm that this the correct way to set the rule? (I have applied it in every interface).

                  FYI I don't think I have any asymmetric routing because of how my network is setup. I have added a picture for transparency.

                  Merci and have a nice WE! Santa Claus is coming :)

                  black1.jpg
                  black1.jpg_thumb
                  black2.jpg
                  black2.jpg_thumb
                  black3.jpg
                  black3.jpg_thumb
                  network.jpg
                  network.jpg_thumb

                  Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
                  Click on the Website (small planet) to see my network diagram

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    What is UW?  TL TC UL stand for?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • X
                      XabiX
                      last edited by

                      Sorry yes I should have specified:

                      • The first letter is the VLAN tag: Untagged or Tagged

                      • The second letter is the network: Cam, Lan or Wan

                      Thanks for asking @johnpoz

                      Therefore can I assume that my 'default rule' is OK for logging the Syn packets only?

                      Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
                      Click on the Website (small planet) to see my network diagram

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.