Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Cleaning TCP: FA FPA RA logs. How to remove them from the logs?

    Firewalling
    4
    9
    563
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      XabiX last edited by

      Hello,

      This is a recurring post but after trying several solutions (conservative + reboot, create a pass rule to not log), I am not able to get rid of these flood. I know it doesn't hurt the traffic and the FW but it's just annoying.

      I created an explicitly rule to filter out those logs but it doesn't match for certain reason. Are they advanced options to check so I can filter out these packets?

      Merci
      Xavier

      https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection








      Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
      Click on the Website (small planet) to see my network diagram

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        From you putting in a rule - its like you didn't read the link you posted too.. Those are out of state packets.. Your allow rule would not allow something that is out of state.

        If you do not want to see out of state logged then turn off default logging.  Then create a block rule at the end of your lan rules that logs but only when SYN..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66 last edited by

          As a rule of thumb, not sure if there are any exceptions, the rules you specific in the UI only apples to newly created states. Packets that are out of state will never hit your manually created rules.

          1 Reply Last reply Reply Quote 0
          • X
            XabiX last edited by

            Thank you both for the answers. I will therefore remove this rule and yes I had that in mind but after different readings I ended up trying :) but I agree it doesn't make sense to have rule if we are speaking about out of the state messages.

            I may just do what johnpoz was proposing (turn off logging and activate it only for the SYN packets)

            Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
            Click on the Website (small planet) to see my network diagram

            1 Reply Last reply Reply Quote 0
            • K
              kpa last edited by

              The default logging is only there for you to take note of the amount of noise there is among regular TCP/IP traffic and then turn it off and write your own rules for more precise logging. PfSense is slightly different compared to other firewall distributions that by default hide that noise to put the user's mind at ease.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                If you are seeing a huge amount of out of state traffic - this would either point to an asymmetrical routing issue, or borked client.. I have seen android phones generate quite a bit of out of state.. But it wasn't constant.. Would be sporadic at best.. not constant flood of noise.

                Seeing the out of state traffic can help you fix problems in your network.. I would suggest only turning off the default log rule if the out of state traffic is caused by some bad client and can not be fixed and the amount of noise is keeping you from seeing more interesting traffic your interested in.

                kpa is correct many firewalls do not log out of state traffic out of the box.. Shoot the usg 3p that I have had some recent experience with doesn't even have a simple way to view any firewall logs ;)  Be it a syn block or out of state block.. They just do not show you any thing blocked by the firewall unless you specifically go looking for it, or take the time to send it to a syslog so you can view it..

                But yes viewing everything can be sometimes overwhelming to new users watching the log.  Especially on the wan side - there is a shit ton of UDP noise that pretty much just noise if you ask me, which is why I only log tcp syn traffic.. Just interesting to see what ports are being attempted.. ssh, 1433, telnet, 3389 (rdp) and ftp are very very common bots and scripts looking for open shit they can try and access.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • X
                  XabiX last edited by

                  Thank you all. I have added the attached rule and since then it's very quiet which I like :)

                  Can you confirm that this the correct way to set the rule? (I have applied it in every interface).

                  FYI I don't think I have any asymmetric routing because of how my network is setup. I have added a picture for transparency.

                  Merci and have a nice WE! Santa Claus is coming :)








                  Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
                  Click on the Website (small planet) to see my network diagram

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    What is UW?  TL TC UL stand for?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • X
                      XabiX last edited by

                      Sorry yes I should have specified:

                      • The first letter is the VLAN tag: Untagged or Tagged

                      • The second letter is the network: Cam, Lan or Wan

                      Thanks for asking @johnpoz

                      Therefore can I assume that my 'default rule' is OK for logging the Syn packets only?

                      Pfsense (latest 2.4) running on Proxmox 5.2 with Intel I350 quad ports
                      Click on the Website (small planet) to see my network diagram

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post