Cleaning TCP: FA FPA RA logs. How to remove them from the logs?

  • Hello,

    This is a recurring post but after trying several solutions (conservative + reboot, create a pass rule to not log), I am not able to get rid of these flood. I know it doesn't hurt the traffic and the FW but it's just annoying.

    I created an explicitly rule to filter out those logs but it doesn't match for certain reason. Are they advanced options to check so I can filter out these packets?


  • LAYER 8 Global Moderator

    From you putting in a rule - its like you didn't read the link you posted too.. Those are out of state packets.. Your allow rule would not allow something that is out of state.

    If you do not want to see out of state logged then turn off default logging.  Then create a block rule at the end of your lan rules that logs but only when SYN..

  • As a rule of thumb, not sure if there are any exceptions, the rules you specific in the UI only apples to newly created states. Packets that are out of state will never hit your manually created rules.

  • Thank you both for the answers. I will therefore remove this rule and yes I had that in mind but after different readings I ended up trying :) but I agree it doesn't make sense to have rule if we are speaking about out of the state messages.

    I may just do what johnpoz was proposing (turn off logging and activate it only for the SYN packets)

  • The default logging is only there for you to take note of the amount of noise there is among regular TCP/IP traffic and then turn it off and write your own rules for more precise logging. PfSense is slightly different compared to other firewall distributions that by default hide that noise to put the user's mind at ease.

  • LAYER 8 Global Moderator

    If you are seeing a huge amount of out of state traffic - this would either point to an asymmetrical routing issue, or borked client.. I have seen android phones generate quite a bit of out of state.. But it wasn't constant.. Would be sporadic at best.. not constant flood of noise.

    Seeing the out of state traffic can help you fix problems in your network.. I would suggest only turning off the default log rule if the out of state traffic is caused by some bad client and can not be fixed and the amount of noise is keeping you from seeing more interesting traffic your interested in.

    kpa is correct many firewalls do not log out of state traffic out of the box.. Shoot the usg 3p that I have had some recent experience with doesn't even have a simple way to view any firewall logs ;)  Be it a syn block or out of state block.. They just do not show you any thing blocked by the firewall unless you specifically go looking for it, or take the time to send it to a syslog so you can view it..

    But yes viewing everything can be sometimes overwhelming to new users watching the log.  Especially on the wan side - there is a shit ton of UDP noise that pretty much just noise if you ask me, which is why I only log tcp syn traffic.. Just interesting to see what ports are being attempted.. ssh, 1433, telnet, 3389 (rdp) and ftp are very very common bots and scripts looking for open shit they can try and access.

  • Thank you all. I have added the attached rule and since then it's very quiet which I like :)

    Can you confirm that this the correct way to set the rule? (I have applied it in every interface).

    FYI I don't think I have any asymmetric routing because of how my network is setup. I have added a picture for transparency.

    Merci and have a nice WE! Santa Claus is coming :)

  • LAYER 8 Global Moderator

    What is UW?  TL TC UL stand for?

  • Sorry yes I should have specified:

    • The first letter is the VLAN tag: Untagged or Tagged

    • The second letter is the network: Cam, Lan or Wan

    Thanks for asking @johnpoz

    Therefore can I assume that my 'default rule' is OK for logging the Syn packets only?

Log in to reply