How to log only packets of interest?

kj32

I am trying to configure an SG-3100 to act as a filtering bridge. Configuring the basic bridge was easy, which is very nice.

Configuring the firewall is harder...

The bridge should drop any packet where the source address matches any of various URL address tables. (http://127.0.0.1/...)

The bridge should drop and log any packet where the destination address matches any of various URL address tables.

The bridge should drop any IPv6 packet.

Writing the pf rules in a text editor for this was straightforward for me. They even work, briefly, before pfsense takes over and turns off pf. Since I cannot write my own pf rules, I entered those rules through the web configurator. Fine, but...

How do I turn off logging from all of the rules that the pfsense firewall puts in place for my own good that I do not care about in this application? I understand that there are other applications where someone might actually want to log all dropped packets. I want the log to contain just what I am interested in, so if there is nothing of interest, it is of zero length. I have experimented with writing my own blocking rules that do not log, but I do not see how to make this work consistently.

netblues

@kj32 There is an implicit deny in every interface.
There is also the option to log or not this implicit deny
If you configure your interesting matches to log and the others not to, I see no reason why it doesn't work for you.

Gertjan

@kj32 said in How to log only packets of interest?:

How do I turn off logging from all of the rules that the pfsense firewall puts in place for my own

Go to Status > System Logs > Settings
Remove the check here :

Block all incoming IPv6 :
System > Advanced > Networking and remove the first check.

Firewall rules by pfsense : /tmp/rules.debug
These files is re created and reload into pf very regularly. You can't edit it yourself.

These are the default 'final' block rules on every interface :

#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in  inet all tracker 1000000103 label "Default deny rule IPv4"
block out  inet all tracker 1000000104 label "Default deny rule IPv4"
block in  inet6 all tracker 1000000105 label "Default deny rule IPv6"
block out  inet6 all tracker 1000000106 label "Default deny rule IPv6"

True, some ping and dhcp rules are present.
Up until :

# User-defined rules follow

On the LAN interface there is one more 'default' rule : a pass rule - but you can edit this one in the GUI.

kj32

@gertjan said in How to log only packets of interest?:

@kj32 said in How to log only packets of interest?:

How do I turn off logging from all of the rules that the pfsense firewall puts in place for my own

Go to Status > System Logs > Settings
Remove the check here :

Thank you very much. I think understanding pf may well be a disadvantage when trying to configure a pfsense system.

My brain: "The logging is coming from pf, the pf setup is handled under firewall, changing the logging should be under firewall".

viragomann

@kj32 said in How to log only packets of interest?:

My brain: "The logging is coming from pf, the pf setup is handled under firewall, changing the logging should be under firewall".

Yes, you can set the logging for each firewall rule independently. But the default deny rule is not shown up there, hence you cannot edit its logging on this place, but consequently in the logging section.