Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ip_block.log entry query - direction

    Scheduled Pinned Locked Moved pfBlockerNG
    3 Posts 1 Posters 819 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmgeurts
      last edited by

      Hi all,

      Working on a Grafana dashboard and am baffled by what pfblockerNG is reporting as the direction. The logic I see is that for ingress NAT traffic, the 'in' flag is set. However, for DMZ traffic where the host has a public IP address, the flag set is 'out'. This means, that the ASN and other details in the log entries are about the destination (the DMZ server) and not the public source. This traffic is IMHO not 'out' (egress) traffic.

      May 20 16:23:12,1653043863,ixl3,WAN03,block,4,6,TCP-S,165.232.85.231,xx.xx.xx.xx,48500,38270,out,BE,pfB_PRI1_v4,xx.xx.zz.0/20,BE_v4,Unknown,Unknown,Unknown,+
      May 20 16:23:12,1653043863,ixl3,WAN03,block,4,6,TCP-S,192.241.221.98,xx.xx.yy.yy,45369,11211,in,US,pfB_PRI1_v4,192.241.221.98,BDS_Ban_v4,zg-0421d-152.stretchoid.com,nat address for XYZ,Unknown,+
      

      The above two lines differ in the destination address, the first is a DMZ address, routed via the firewall, while the second is a NAT addess on the firewall (loopback virtual IP address).

      I would expect ingress traffic on a WAN interface to be flagged as 'in' and 'out' traffic to be other traffic received from 'LAN' interfaces. Writing this it's dawning on me that NAT may be used to determine the in/out flag.

      Is there anyone who can shed light on this? I really don't need geoIP information about my DMZ servers, instead, I want to see details about the src_ip in the log file.

      D 1 Reply Last reply Reply Quote 0
      • D
        dmgeurts
        last edited by

        pfSense Plus 22.0.1
        pfBlockerNG-devel 3.1.0_4

        1 Reply Last reply Reply Quote 0
        • D
          dmgeurts @dmgeurts
          last edited by

          Redmine ticket logged through support channel: https://redmine.pfsense.org/issues/13209?next_issue_id=13207&prev_issue_id=13210

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.