Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Empty Firewall Log - 2.5

    2.5 Development Snapshots (Retired)
    3
    6
    100
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      Quarkz
      last edited by

      Is anyone else seeing no firewall updates to filter.log recently?

      Currently on build
      2.5.0-DEVELOPMENT (amd64)
      built on Wed Sep 23 13:05:48 EDT 2020
      FreeBSD 12.2-PRERELEASE

      Re-installed and reset log files already.

      pfctl shows the default block rules in place
      block drop in log inet all label "Default deny rule IPv4"

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • Q
        Quarkz
        last edited by

        I see syslog running
        /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -b 192.168.1.1

        I also see packets showing blocked under the interfaces

        In/out packets (pass)
        5057612/1557430 (6.12 GiB/263.44 MiB)
        In/out packets (block)
        2454/0 (184 KiB/0 B)

        but nothing is showing under Status/System Logs/Firewall and /var/log/filter.log is empty.

        I assume nobody else is having this same issue?

        1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by kiokoman

          nope, check permission and compare

          -rw-------   1 root      wheel     137776 Sep 24 18:55 filter.log

          root   74183   0.0  0.0  11420   2676  -  Ss   Tue15       0:41.58 /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -b 172.17.0.254

          [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/log: cat /etc/syslog.conf
# Automatically generated, do not edit!
# Place configuration files in /var/etc/syslog.d
!*

include                                         /var/etc/syslog.d
# /* Manually added files with non-conflicting names will not be automatically removed */
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/log: cd /var/etc/syslog.d
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/etc/syslog.d: ls
haproxy.log.conf pfSense.conf
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/var/etc/syslog.d: cat pfSense.conf
# Automatically generated, do not edit!
!*
auth.*;authpriv.*                                               /var/log/auth.log
!radvd,routed,zebra,ospfd,ospf6d,bgpd,miniupnpd,igmpproxy
*.*                                                             /var/log/routing.log
!ntp,ntpd,ntpdate
*.*                                                             /var/log/ntpd.log
!ppp
*.*                                                             /var/log/ppp.log
!poes
*.*                                                             /var/log/poes.log
!l2tps
*.*                                                             /var/log/l2tps.log
!charon,ipsec_starter
*.*                                                             /var/log/ipsec.log
!openvpn
*.*                                                             /var/log/openvpn.log
!dpinger
*.*                                                             /var/log/gateways.log
!dnsmasq,named,filterdns,unbound
*.*                                                             /var/log/resolver.log
!dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6
*.*                                                             /var/log/dhcpd.log
!hostapd
*.*                                                             /var/log/wireless.log
!filterlog
*.*                                                             /var/log/filter.log
*.*                                                             @172.17.0.100:514
*.*                                                             @172.17.0.100:5140
!logportalauth
*.*                                                             /var/log/portalauth.log
!-ntp,ntpd,ntpdate,charon,ipsec_starter,openvpn,poes,l2tps,hostapd,dnsmasq,named,filterdns,unbound,dhcpd,dhcrelay,dhclient,dhcp6c,dpinger,radvd,routed,zebra,ospfd,ospf6d,bgpd,miniupnpd,igmpproxy,filterlog,haproxy
local3.*                                                        /var/log/vpn.log
local5.*                                                        /var/log/nginx.log
*.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      /var/log/system.log
auth.info;authpriv.info                                         |exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid
*.emerg                                                         *
*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      @172.17.0.100:514
*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      @172.17.0.100:5140

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • Q
            Quarkz
            last edited by

            @kiokoman

            Thanks for the ideas! Unfortunately everything matches up fine.
            I am seeing packets being properly blocked if I tcpdump on pflog0 so I think that much is working.

            I will try a fresh install this weekend and see if I still have the issue with a vanilla config or if there is something wrong in my config.xml.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              It's working fine for me here.

              The process you really want to look for is filterlog:

              root  51714   0.0  0.3 12336  1284  -  Ss   Tue08      0:13.20 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • Q
                Quarkz
                last edited by

                @jimp I figured it was the filterlog process.

                root    45091   0.0  0.1  12104  2976  -  Ss   15:18     0:00.13 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid

                It must be something specific to my config. I have done several fresh re-installs albeit importing my existing config.xml. If you have any other thoughts on troubleshooting things please let me know.

                tcpdump -n -e -ttt -i pflog0 inbound and action block and on em0

                Shows things being properly blocked so I am not as concerned but still puzzled.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post