Outgoing packets do not show up in log
-
I have a default-deny setup with a rule to let out packets from port 3074 for an XBox. On startup the XBox generates a packet to each of a large list of IPs which show up in the log, then starts to play. NONE of the play packets show up in the log, even though the "log" box is checked on the only rule that would let them out (As evidenced by the startup packets being logged).
I will outline my setup here, and attach my rules, the packet log, and the "pfsense System/Firewall" log, and the rule and NAT configuration screens.
System has four interfaces:
WAN: DHCP to Roadrunner. Address is 66.66.26.27
LAN: 168.255.240.1/24 for High confidence trusted machines (Linux, Mac)
YEL: 168.255.241.1/24 for Low confidence trusted machines (Windows with AV etc.)
ORA: 168.255.243.1/24 for untrusted machines (XBox). XBox is 168.255.243.16NAT: Port forward of 3074 to XBox
Outbound is set to manual so that ORA can be set to Static Port
LAN and YEL have Static Port set to No.Firewall Rules:
I have an alias AllPrivateNets that includes the private nets and the 10.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 networks. I see lots of machines trying to do bootp from my WAN, so I assume that somehow Roadrunner's architecture allows people's private nets to get at whatever my modem is hooked to.
All interfaces end with a block (WAN) or reject (LAN, YEL, ORA) all.
WAN: Fireall rules forward !AllPrivateNets port 3074 to the xbox on ORA to accomodate the NAT Port-Forward
LAN: Has about twenty specific rules allowing "LAN net " to go to " <specific port="">". 3074 is not one of the ports allowed.
YEL: Identical to LAN except the destination has to be !AllPrivateNets, except for 22 and 631 are allowed to go anywhere.
ORA: Identical to LAN except the destination has to be !AllPrivateNets, except a rule is added to allow "ORA net 3074" to go to "!AllPrivateNets *"
All three internal interfaces (LAN, YEL, ORA) have a DISABLED allow from the net any port to anywhere any port (e.g. LAN net * * *) to be handy in as a quick escape hatch. This is located almost at the top, with only a restriction that DNS go to the interface address and an allow of NTP to the interface above them. I either removed or flagged logging on this disabled rule (Don't remember which) and behaviour did not change.
*** SO ***
Is there some reason that packets SOMETIMES going from ORA 192.168.243.16 to the WAN without being logged despite the rule being marked for logging?
It smells perhaps like a NAT thing, but nothing of what I understand about NAT would suggest that stuff should bypass the firewall rules (and so the logging) going out… just coming in.
Thank you ahead of time for any suggestions or ideas.
Attached please find:
rules.debug.txt rules.debug file
1035.screen.txt system log / firewall from GUI
1035.packets.txt packet capture
rules.WAN.screen.txt rules from GUI
rules.LAN.screen.txt rules from GUI
rules.YEL.screen.txt rules. from GUI
rules.ORA.screen.txt rules from GUI
NAT.portforward.txt from GUI
NAT.Outbound.txt from GUI--Ray
rules.debug.txt
1035.screen.txt
1035.packets.txt
rules.wan.screen.txt
rules.lan.screen.txt
rules.yel.screen.txt
rules.ora.screen.txt
NAT.portforward.txt
NAT.Outbound.txt</specific> -
afaik logging "allow-rules", logs states and not individual packets after a state has been established..
-
Yes, the log checkbox will log the connection, not the individual packets.
-
Boy, that sure was alot of work for a simple answer! Well, better that than the alternative… Thank you!
