Outgoing packets do not show up in log



  • I have a default-deny setup with a rule to let out packets from port 3074 for an XBox.  On startup the XBox generates a packet to each of a large list of IPs which show up in the log, then starts to play.  NONE of the play packets show up in the log, even though the "log" box is checked on the only rule that would let them out (As evidenced by the startup packets being logged).

    I will outline my setup here, and attach my rules, the packet log, and the "pfsense System/Firewall" log, and the rule and NAT configuration screens.

    System has four interfaces:
    WAN:  DHCP to Roadrunner.  Address is 66.66.26.27
    LAN:    168.255.240.1/24 for High confidence trusted machines (Linux, Mac)
    YEL:    168.255.241.1/24 for Low confidence trusted machines (Windows with AV etc.)
    ORA:  168.255.243.1/24 for untrusted machines (XBox).  XBox is 168.255.243.16

    NAT:    Port forward of 3074 to XBox
              Outbound is set to manual so that ORA can be set to Static Port
                  LAN and YEL have Static Port set to No.

    Firewall Rules:

    I have an alias AllPrivateNets that includes the private nets and the 10.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 networks.  I see lots of machines trying to do bootp from my WAN, so I assume that somehow Roadrunner's architecture allows people's private nets to get at whatever my modem is hooked to.

    All interfaces end with a block (WAN) or reject (LAN, YEL, ORA) all.

    WAN:  Fireall rules forward !AllPrivateNets port 3074 to the xbox on ORA to accomodate the NAT Port-Forward

    LAN:  Has about twenty specific rules allowing "LAN net " to go to " <specific port="">".    3074 is not one of the ports allowed.

    YEL:  Identical to LAN except the destination has to be !AllPrivateNets, except for 22 and 631 are allowed to go anywhere.

    ORA:  Identical to LAN except the destination has to be !AllPrivateNets, except a rule is added to allow "ORA net 3074" to go to "!AllPrivateNets *"

    All three internal interfaces (LAN, YEL, ORA) have a DISABLED allow from the net any port to anywhere any port (e.g. LAN net * * *) to be handy in as a quick escape hatch.  This is located almost at the top, with only a restriction that DNS go to the interface address and an allow of NTP to the interface above them.  I either removed or flagged logging on this disabled rule (Don't remember which) and behaviour did not change.

    *** SO ***

    Is there some reason that packets SOMETIMES going from ORA 192.168.243.16 to the WAN without being logged despite the rule being marked for logging?

    It smells perhaps like a NAT thing, but nothing of what I understand about NAT would suggest that stuff should bypass the firewall rules (and so the logging) going out… just coming in.

    Thank you ahead of time for any suggestions or ideas.

    Attached please find:

    rules.debug.txt          rules.debug file
    1035.screen.txt          system log / firewall from GUI
    1035.packets.txt        packet capture
    rules.WAN.screen.txt    rules from GUI
    rules.LAN.screen.txt    rules from GUI
    rules.YEL.screen.txt    rules. from GUI
    rules.ORA.screen.txt    rules from GUI
    NAT.portforward.txt    from GUI
    NAT.Outbound.txt      from GUI

    --Ray
    rules.debug.txt
    1035.screen.txt
    1035.packets.txt
    rules.wan.screen.txt
    rules.lan.screen.txt
    rules.yel.screen.txt
    rules.ora.screen.txt
    NAT.portforward.txt
    NAT.Outbound.txt</specific>



  • afaik logging "allow-rules", logs states and not individual packets after a state has been established..


  • Rebel Alliance Developer Netgate

    Yes, the log checkbox will log the connection, not the individual packets.



  • Boy, that sure was alot of work for a simple answer!  Well, better that than the alternative…  Thank you!


Log in to reply