ip_block.log entry query - direction
-
Hi all,
Working on a Grafana dashboard and am baffled by what pfblockerNG is reporting as the direction. The logic I see is that for ingress NAT traffic, the 'in' flag is set. However, for DMZ traffic where the host has a public IP address, the flag set is 'out'. This means, that the ASN and other details in the log entries are about the destination (the DMZ server) and not the public source. This traffic is IMHO not 'out' (egress) traffic.
May 20 16:23:12,1653043863,ixl3,WAN03,block,4,6,TCP-S,165.232.85.231,xx.xx.xx.xx,48500,38270,out,BE,pfB_PRI1_v4,xx.xx.zz.0/20,BE_v4,Unknown,Unknown,Unknown,+ May 20 16:23:12,1653043863,ixl3,WAN03,block,4,6,TCP-S,192.241.221.98,xx.xx.yy.yy,45369,11211,in,US,pfB_PRI1_v4,192.241.221.98,BDS_Ban_v4,zg-0421d-152.stretchoid.com,nat address for XYZ,Unknown,+The above two lines differ in the destination address, the first is a DMZ address, routed via the firewall, while the second is a NAT addess on the firewall (loopback virtual IP address).
I would expect ingress traffic on a WAN interface to be flagged as 'in' and 'out' traffic to be other traffic received from 'LAN' interfaces. Writing this it's dawning on me that NAT may be used to determine the in/out flag.
Is there anyone who can shed light on this? I really don't need geoIP information about my DMZ servers, instead, I want to see details about the src_ip in the log file.
-
pfSense Plus 22.0.1
pfBlockerNG-devel 3.1.0_4 -
Redmine ticket logged through support channel: https://redmine.pfsense.org/issues/13209?next_issue_id=13207&prev_issue_id=13210