• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Logging connections, not their content

Scheduled Pinned Locked Moved Firewalling
7 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    anmnz
    last edited by anmnz Mar 1, 2019, 11:20 PM Mar 1, 2019, 11:05 PM

    I have a small NAT network behind a pfSense firewall (latest version). I have been told that something on my network is unexpectedly making frequent connections to an external system.

    I would like to use pfSense logging to record every outbound TCP connection being made by any machine on my network (just for a day or two so I can look for patterns). For each connection I'd like to record the source and destination IP addresses and TCP ports at least (automatically resolving to hostnames would be nice). I don't need to record the data that flows across the connection.

    Can someone suggest how I can achieve this?

    My best guess is that I need to create a firewall rule that specifically matches SYN/ACK packets, and turn on logging for that rule. I've tried this but haven't been able to get it right.

    I'd really appreciate an explanation of how to do this, or a pointer to a pfSense package that easily solves my problem!

    Many thanks for any help.

    1 Reply Last reply Reply Quote 0
    • A
      akuma1x
      last edited by akuma1x Mar 1, 2019, 11:37 PM Mar 1, 2019, 11:25 PM

      If this is on your LAN network, for example, you can simply set the logging feature to "ON" in your firewall rule that passes all traffic out to the internet.

      It's under Extra Options, in the "allow LAN to any" rule.

      Be aware that you need hard drive space for capturing the log data. Then, when you are done logging, read the data with a syslog program, like Wireshark, then turn off the logging function in the rule. Or, for a simple look at the rule logs, you can look under Status -> System Logs, and click on the Firewall tab to see the data.

      https://docs.netgate.com/pfsense/en/latest/book/firewall/viewing-the-firewall-logs.html

      The only problem I can see with the above steps is if you've got lots of NAT rules, and lots of firewall rules. Then it might be harder to narrow down which rule you actually want to do the log capture in.

      Jeff

      A 1 Reply Last reply Mar 1, 2019, 11:38 PM Reply Quote 1
      • A
        anmnz @akuma1x
        last edited by Mar 1, 2019, 11:38 PM

        @akuma1x thanks!

        If I understand correctly this would log all traffic through the firewall, not just the creation of new TCP connections. Is that correct?

        I don't have a problem with that if it's the best way to approach my problem.

        Or am I misunderstanding -- will this approach actually only log connection setup, not the packets that flow once the connection is created?

        Thanks!

        A 1 Reply Last reply Mar 1, 2019, 11:43 PM Reply Quote 0
        • A
          akuma1x @anmnz
          last edited by Mar 1, 2019, 11:43 PM

          @anmnz

          Try it and see if it's got the data you're looking for. I just turned on the logging function on my "lan to any" rule, and it shows me what internal lan machines talk to which external machines, all by IP address.

          If you happen to know which "external machine" you're looking for, it should be easy to see what internal machine is talking to it.

          Jeff

          G 1 Reply Last reply Mar 2, 2019, 9:27 AM Reply Quote 1
          • G
            Gertjan @akuma1x
            last edited by Mar 2, 2019, 9:27 AM

            @akuma1x said in Logging connections, not their content:

            If you happen to know which "external machine" you're looking fo

            Well, he said so :

            @anmnz said in Logging connections, not their content:

            something on my network is unexpectedly making frequent connections to an external system

            An external system is an identified system.

            For example :

            I have this site test-domaine.fr.
            It has these IP's :

            root@ns311465:~# host test-domaine.fr
test-domaine.fr has address 5.196.43.182
test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
test-domaine.fr mail is handled by 30 mail.test-domaine.fr.
test-domaine.fr mail is handled by 20 mail2.test-domaine.fr.
test-domaine.fr mail is handled by 10 mail.test-domaine

            I create a pfSense alias for the IP's 5.196.43.182 and 2001:41d0:2:927b::15 called "test".

            I create a firewall pass rule on my LAN :

            0_1551515900604_3f1e592f-71de-4f3b-87bb-48a553ed76e3-image.png

            It's a pass rule.
            It's logged.
            Source : any.
            Usage the destination : host : alias : "test"
            Advanced option : SYN bits set (in and out)

            Now, I visit my test-domaine.fr usage a ... web browser.

            Refresh the Firewall LAN rules list and check :

            0_1551516062347_e2029de2-b7e7-489e-ad63-df5d2c9f6306-image.png

            This means the rule has been "used".

            Let's check the logs :

            0_1551516117059_66073233-576c-4eb3-9b36-f18b58a2c2ab-image.png

            aha : it's a device using IPv6 2001:470:1f13:5c0:2::c6

            root@ns311465:~# host 2001:470:1f13:5c0:2::c6
6.c.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.c.5.0.3.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer gauche.brit-hotel-fumel.net.

            That device is the PC I just used to visit www.test-domaine.fr" !! The device (PC) has been identified.
            I can see port numbers, so I can deduct used services (wbe server in this case), etc.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            A A 2 Replies Last reply Mar 2, 2019, 2:49 PM Reply Quote 2
            • A
              akuma1x @Gertjan
              last edited by akuma1x Mar 2, 2019, 4:19 PM Mar 2, 2019, 2:49 PM

              @gertjan said in Logging connections, not their content:

              Well, that's a little advanced... and BRILLIANT! 👍

              Thanks for the tips and the instructions. I didn't even think of narrowing the rule down that far. That's awesome! That would also limit the size of the log data file, since you've laser-focused it down so much to just the external machine on a single rule.

              Jeff

              1 Reply Last reply Reply Quote 0
              • A
                anmnz @Gertjan
                last edited by Mar 3, 2019, 11:52 AM

                Thanks @gertjan! I don't actually have the specific IP addresses my network is allegedly making connections to, but these instructions are excellent and showed me how to do what I wanted which is to log all outgoing connections from my network. Thanks very much indeed for taking the time!

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received