Hundreds of firewall logs for 10.219.10.14:80
-
Is there a way to not log these requests? I'm not sure why this windows machine is doing this.
-
@CreationGuy is 'Blocks access to login' a rule you created (haven't seen it before) ? If yes, you can disable logging in that rule.
-
@CreationGuy lets see the rule - normally the only rule that is logged is the default deny rule. Rules you create that you want to log, you would have to set to log
Example - see these rules have been set to log, the 2 rules between do not log.. See no log symbol on them
-
@patient0 No, it's not - no rule for that
-
@CreationGuy the firewall log clearly is a user created rule called "blocks access to login" that is not any sort of default pfsense rule.
ah yup see you clearly have it set to log
-
@johnpoz I see what you're saying there, but looking at the log I posted above, how does that correlate with this:
-
@CreationGuy what do you mean how does correlate? That logged traffic is to port 80, and your alias has port 80 in it
.14 seems like an odd ip for a pfsense interface IP to me, normally they are like .1 or .254 - I run mine at .253 to not step on anything that might default to using .254.. But .14 just seems like some IP out of thin air?
edit: on a side note if your seeing hundreds of them - I would look to why your machine is sending traffic to your pfsense port 80 IP in the first place.
Do you have a browser let open or something?
-
@johnpoz
I had port 80 in there but removed it as I have it disabled in the settings. That cleared it up. My assumption was that this config was just trying to log into the router. That looks like a BOGON IP and maybe that's why the router thought the windows machine was trying to log into it. -
@CreationGuy Neither IP is a bogon, they are both private/RFC1918 IPs.
Removed port 80 from the alias? If you don't have a later "allow to any" rule or any other rule allowing it, then the connection attempts should remain blocked.
-
@CreationGuy said in Hundreds of firewall logs for 10.219.10.14:80:
My assumption was that this config was just trying to log into the router.
Why would it be doing that? That makes no sense for windows to hit is gateway on port 80. Unless you had a browser open trying to go there, or you had some software on it checking services - like uptime kuma, or something running discovery - ntop can do that for example
But out of the box a windows machine sure shouldn't be just sending port 80 traffic to its gateway.. Since 80 is in the clear - you could sniff the traffic and see what its sending.. Unless you allow the traffic you just going to see syn. Windows till try and talk to the internet, to see if has internet access via its NLA service believe its called (network location awareness).. But that wouldn't be to its gateway IP, it would be to some other internet IP, is that 10.219.10.14 not an IP on your pfsense? That rule wouldn't trigger unless the IP was a pfsense IP (this firewall) on one of its interfaces. But yeah now that you mention it - is that 10.219.10.14 not a pfsense IP? I would for sure look on your windows machine on why its trying to talk to that IP.
-
@johnpoz The only thing I can think of, is it's running Blue Iris NVR software and it is also running a local on AI server to analyze the feeds. That is a web server.
-
@CreationGuy but that IP it is trying to go to is what exactly - that 10.219.10.14 per your rule would need to be an IP actually assigned to pfsense, or a vip on pfsense. What is that IP?
-
@johnpoz I don't know what it is, there's no static IPs nor leases with that
-
Found it, pfblockerNG- I must have set this years ago -
@CreationGuy there you go! yeah so something goes to something pfblocker is blocking and they get sent to the block site - which you were blocking and logging in you rule..
