Firewall Rule Logging (for PERMIT Rule)



  • I have a firewall (pass/allow) rule that has logging enabled.

    Screen Shot 2020-05-06 at 1.31.40 PM.png

    However, when I go to the firewall log monitor I am unable to locate the (permit) rule. Currently my firewall log is only showing denied traffic.

    Screen Shot 2020-05-06 at 10.18.01 AM.png

    Can anyone shed some light on the situation? Thanks!


  • Netgate Administrator

    Nothing has matched the rule since the change.

    If that traffic is passing then either some other rule is passing it or you still have states open from before you added logging so the new rule has not applied yet.

    Steve



  • @stephenw10 This traffic originates from the WAN port (because AWS is the source).

    I only have (2) pass/permit rules on the WAN interface. As such, I can safely say that no other firewall rule is capturing (and allowing) the traffic.

    Screen Shot 2020-05-07 at 2.17.10 PM.png

    To rule out the "open state" theory. I rebooted the PFsense box. After applying filters to the Firewall Log I am (still) told: "no logs to display".


  • Netgate Administrator

    Hmm, well you can see that rule has created states so those should have been logged.

    Is the firewall logging anything at all? Sometimes logging can stop entirely if something else has broken it.

    Is it logging so many blocks that those pass logs are being cycled out of the logs before you filter for them? Like if you are seeing a DoS attack.

    Steve



  • @stephenw10 PFsense is definitely logging events (within the Firewall log view).

    Currently, the log is only showing the denied traffic.

    Based on the timestamps, it looks like I am not encountering a DoS attack.

    Screen Shot 2020-05-07 at 4.32.04 PM.png


Log in to reply