Empty Firewall Log - 2.5

Quarkz · Sep 23, 2020, 11:30 PM

Is anyone else seeing no firewall updates to filter.log recently?

Currently on build
2.5.0-DEVELOPMENT (amd64)
built on Wed Sep 23 13:05:48 EDT 2020
FreeBSD 12.2-PRERELEASE

Re-installed and reset log files already.

pfctl shows the default block rules in place
block drop in log inet all label "Default deny rule IPv4"

Any ideas?

Quarkz · Sep 24, 2020, 4:09 PM

I see syslog running
/usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -b 192.168.1.1

I also see packets showing blocked under the interfaces

In/out packets (pass)
5057612/1557430 (6.12 GiB/263.44 MiB)
In/out packets (block)
2454/0 (184 KiB/0 B)

but nothing is showing under Status/System Logs/Firewall and /var/log/filter.log is empty.

I assume nobody else is having this same issue?

kiokoman · Sep 24, 2020, 5:03 PM

nope, check permission and compare

-rw-------   1 root      wheel     137776 Sep 24 18:55 filter.log

root   74183   0.0  0.0  11420   2676  -  Ss   Tue15       0:41.58 /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -b 172.17.0.254

[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/log: cat /etc/syslog.conf
# Automatically generated, do not edit!
# Place configuration files in /var/etc/syslog.d
!*

include                                         /var/etc/syslog.d
# /* Manually added files with non-conflicting names will not be automatically removed */
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/log: cd /var/etc/syslog.d
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/etc/syslog.d: ls
haproxy.log.conf pfSense.conf
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/etc/syslog.d: cat pfSense.conf
# Automatically generated, do not edit!
!*
auth.*;authpriv.*                                               /var/log/auth.log
!radvd,routed,zebra,ospfd,ospf6d,bgpd,miniupnpd,igmpproxy
*.*                                                             /var/log/routing.log
!ntp,ntpd,ntpdate
*.*                                                             /var/log/ntpd.log
!ppp
*.*                                                             /var/log/ppp.log
!poes
*.*                                                             /var/log/poes.log
!l2tps
*.*                                                             /var/log/l2tps.log
!charon,ipsec_starter
*.*                                                             /var/log/ipsec.log
!openvpn
*.*                                                             /var/log/openvpn.log
!dpinger
*.*                                                             /var/log/gateways.log
!dnsmasq,named,filterdns,unbound
*.*                                                             /var/log/resolver.log
!dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6
*.*                                                             /var/log/dhcpd.log
!hostapd
*.*                                                             /var/log/wireless.log
!filterlog
*.*                                                             /var/log/filter.log
*.*                                                             @172.17.0.100:514
*.*                                                             @172.17.0.100:5140
!logportalauth
*.*                                                             /var/log/portalauth.log
!-ntp,ntpd,ntpdate,charon,ipsec_starter,openvpn,poes,l2tps,hostapd,dnsmasq,named,filterdns,unbound,dhcpd,dhcrelay,dhclient,dhcp6c,dpinger,radvd,routed,zebra,ospfd,ospf6d,bgpd,miniupnpd,igmpproxy,filterlog,haproxy
local3.*                                                        /var/log/vpn.log
local5.*                                                        /var/log/nginx.log
*.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      /var/log/system.log
auth.info;authpriv.info                                         |exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid
*.emerg                                                         *
*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      @172.17.0.100:514
*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      @172.17.0.100:5140

Quarkz · Sep 24, 2020, 7:50 PM

@kiokoman

Thanks for the ideas! Unfortunately everything matches up fine.
I am seeing packets being properly blocked if I tcpdump on pflog0 so I think that much is working.

I will try a fresh install this weekend and see if I still have the issue with a vanilla config or if there is something wrong in my config.xml.

jimp · Sep 24, 2020, 8:02 PM

It's working fine for me here.

The process you really want to look for is filterlog:

root  51714   0.0  0.3 12336  1284  -  Ss   Tue08      0:13.20 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid

Quarkz · Sep 24, 2020, 9:31 PM

@jimp I figured it was the filterlog process.

root    45091   0.0  0.1  12104  2976  -  Ss   15:18     0:00.13 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid

It must be something specific to my config. I have done several fresh re-installs albeit importing my existing config.xml. If you have any other thoughts on troubleshooting things please let me know.

tcpdump -n -e -ttt -i pflog0 inbound and action block and on em0

Shows things being properly blocked so I am not as concerned but still puzzled.