problem with tracking id log. It never changes
-
Hi everyone.
I have a problem related to log management in a pfsense version 2.6
when I enter the system log I can't verify the id log and they are always with the same id.
Where can I check to return to having a correct view of the logs and find all the various ids?
Currently I have removed all the logs I had set up and left only one rule log.
I hope I was clear and I await your feedback for the checks to be made in the pfsense.
Thank you
-
@charneval
Never seen this ID.
But runpfctl -srand search for it to get an idea, which rule it is.
-
Hi.
I saw that in the firewall rules there are the correct id but isn't present the id : 4294967295https://pastebin.com/cbHHH5SW
and this is the log :
https://pastebin.com/TuyLPpnG
Where can I chek the problem ?
Thanks
Andrea. -
That rule may no longer exist in the ruleset. Are you still seeing blocks logged against it currently?
-
@stephenw10
Sorry I didn't understand your answer.
Can I give you more information about firewall configuration?
The problem has been present for about 1 month but before that if I entered the firewall log screen I had the logs of all the rules. -
@charneval The question is are you seeing current log entries - like today, or 10 minutes ago showing that rule ID? Those are all dated the 17th.. Do you have entries from say 3/21 now with that same ruleID.
If you do - then it has to be in the firewall rules with that ID on them.. But if your not seeing any current log entries, then its possible those were some old rule, and its ID.
To be honest from what is blocked, that could just be default deny rule.
Use to look at your rules
pfctl -saYou should be able to grep for the rules via that ID.. So for example here are two hits in my log just recent from different rules
If I grep the rules for that ID, I can see what rules blocked that.
[23.01-RELEASE][admin@sg4860.local.lan]/root: pfctl -sa | grep 1675276073 block drop in log quick on igb1 reply-to (igb1 209.snipped) inet from <pfB_DigitalOcean_v4> to 209.snipped label "USER_RULE: DO Blocks" label "id:1675276073" ridentifier 1675276073 USER_RULE: DO Blocks id:1675276073 54511 1193 51380 1193 51380 0 0 0 [23.01-RELEASE][admin@sg4860.local.lan]/root: pfctl -sa | grep 1512833215 block drop in log quick on igb1 reply-to (igb1 209.snipped) inet proto tcp from any to 209.snipped flags S/S label "USER_RULE: Clean Block" label "id:1512833215" ridentifier 1512833215 USER_RULE: Clean Block id:1512833215 36728 12651 523500 12651 523500 0 0 0 [23.01-RELEASE][admin@sg4860.local.lan]/root: pfctl -saBut if the log is old, then its possible the rule ID is no longer a active rule, and you will not find it in your rule set.
But if your seeing current blocks with that ID, then it has to exist in your rule set.
-
Except the default deny rule has a fixed ID and that isn't it. So more likely a custom block rule or maybe something from pfBlocker.
-
@stephenw10 true.. But if the rule is active then it would have to be in the rule list.. I don't see logging with an ID that isn't actually there, etc.
-
Exactly. One issue can be log showing against the wrong rule description because the rule IDs are parsed when the logs are displayed not when the connection happened. Though that isn't case here.
That ID number looks out of place though, I wonder if it was changed somehow.
-
Good morning.
If it were a custom blocking rule, I would have to identify it in the command: pfctl -sa | grep 4294967295
I can't find any rules with this id and I can't get the log view back with the right ids.
The service pfblocker is disabled.
I can test in other firewall this configuration and try to update at devel release 2.7.X ?What's your advice?
Thanks. Andrea.
-
Something in my head tells me there was an issue with "firewall & track IDs".
It was way back, was it 2.6.0 ?
Nothing in the System Patches (pfSense package) ? -
My version is :
2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLEBut I've had this problem for about 1 month and the firmware version has been around for about 5 months.
-
@gertjan said in problem with tracking id log. It never changes:
there was an issue with "firewall & track IDs".
Wasn't there an issue with copy of firewall rules not creating new IDs - I don't recall an issue with non-existing IDs being logged..
-
@johnpoz
Anyway never seen such a high rule ID number. So if it was not generated by a certain package, I suspect, there must be something went pretty wrong at the rule generation.To resolve, I would try to export the config, search for this rule ID in it. If it isn't there, reinstall pfSense and import the config again and hope, that the issue doesn't come back.
-
I exported the configuration and inside I can't find any id with number: 4294967295, now I'll try to restore the configuration on a different hardware and see if I'm carrying the log problem.
Thanks
-
@charneval said in problem with tracking id log. It never changes:
I can't find any id with number: 4294967295
That particular number is special. It is the decimal representation of the largest unsigned integer that will fit within a 32-bit word (when expressed in binary). See here: https://en.wikipedia.org/wiki/4,294,967,295. So, my guess is an integer variable is corrupted or overflowed. I don't have a guess as to why, though.
-
Hi.
For a test I force a reinstall of all packages using pkg upgrade -fy
but after the reboot I can't open the web consolle.
In ssh the firewall responds and works properly.How can I restore access via web page?
-
@charneval
Troubleshooting Access when Locked Out of the FirewallDisable the filter, then login in and check the rules.
-
@viragomann
I'm connecting remotely to the firewall via ssh and I don't want this operation to give me later problems so I prefer to do it on site.
The firewall has many rules and many client at the moment connected.
Currently I don't know if reconfiguring the packages solved my logging problem but I will try to check as soon as possible. -
That. And also try restating php then the webgui from the menu.
