Firewall Rule Logging (for PERMIT Rule)
I have a firewall (pass/allow) rule that has logging enabled.
However, when I go to the firewall log monitor I am unable to locate the (permit) rule. Currently my firewall log is only showing denied traffic.
Can anyone shed some light on the situation? Thanks!
Nothing has matched the rule since the change.
If that traffic is passing then either some other rule is passing it or you still have states open from before you added logging so the new rule has not applied yet.
@stephenw10 This traffic originates from the WAN port (because AWS is the source).
I only have (2) pass/permit rules on the WAN interface. As such, I can safely say that no other firewall rule is capturing (and allowing) the traffic.
To rule out the "open state" theory. I rebooted the PFsense box. After applying filters to the Firewall Log I am (still) told: "no logs to display".
Hmm, well you can see that rule has created states so those should have been logged.
Is the firewall logging anything at all? Sometimes logging can stop entirely if something else has broken it.
Is it logging so many blocks that those pass logs are being cycled out of the logs before you filter for them? Like if you are seeing a DoS attack.
@stephenw10 PFsense is definitely logging events (within the Firewall log view).
Currently, the log is only showing the denied traffic.
Based on the timestamps, it looks like I am not encountering a DoS attack.