Why are connections from LAN blocked
-
I noticed the following in my logs:
But I don't have any rules in place, for the outgoing LAN, just the default one:
So, why are these packets being blocked.
Cheers.
-
Its normal.
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
-
RTFM. ::)
I promise I'll do it next time.
Cheers, and Thanks.
-
@onhel:
Its normal.
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
I'm new to pfSense and had suspected this explanation. I love it so far but this logging business is kind of bugging.
While it's normal, but is there a way to mitigate it, at least from a logging perspective? It generates a substantial amount of log traffic (relative to a "normal" denied traffic). On my generic LAN pfSense box, 38% of the blocked traffic is due to this. On my server pfSense box, it's 96% of the blocked traffic, largely due to two iPhones hitting the mail server every 30 minutes on lossy links.
This makes most firewall log views kind of worthless as they're flooded with non-event events.
Is there a way to not log this kind of traffic, or tweak the state table, or something?
-
You could try setting the firewall optimization to conservative. Not sure if it would help, but it does give states longer to expire than it would otherwise. That is found under System > Advanced.
-
maybe i am misunderstanding you, but why don't you just disable logging due to the default deny rule?
-
maybe i am misunderstanding you, but why don't you just disable logging due to the default deny rule?
Because then I get essentially no logging. My philosophy (which may be junk from a security perspective) is to gain a familiarity with unwanted inbound traffic. Some of it is common enough (eg, automated MS DS attacks on port 445, SQL attacks, etc) that it clutters the logs. Once I'm comfortable that this traffic is being blocked and is common enough to clutter the logs, I usually create specific denial rules and disable logging it.
This allows me to get a "fresh" view of the log, minus traffic I know is already there but don't want to see, and makes it easier to spot new traffic or more sophisticated unwanted traffic.
Really, it's probably a logfile reporting filter issue more so than a rule issue – ideally you'd still want this traffic logged, but I have yet to see a decent commercial log reporting system that can do this well.
When I worked at one place I had the firewall syslogging to a FreeBSD box and some Perl scripts tied to some really rudimentary web pages that would do this kind of filtering for me (and more, like monthly log summaries that scanned denied traffic and would attempt netblock summarization to try to find patterns in the sources of unwanted traffic). Unfortunately I don't really have the luxury of doing that anymore.
