Firewall log file

subfire91 · Nov 1, 2010, 7:55 PM

Hi guys,

Do you know where the firewall log file of pfsense is located? Because it doesnt show any dropped connections on the webgui somehow. i need the firewall log file in order to tail -f it real time for troubleshooting

thnx

jimp · Nov 2, 2010, 12:45 PM

http://doc.pfsense.org/index.php/Why_can't_I_view_view_log_files_with_cat/grep/etc%3F_(clog)

subfire91 · Nov 2, 2010, 5:04 PM

@jimp:

http://doc.pfsense.org/index.php/Why_can't_I_view_view_log_files_with_cat/grep/etc%3F_(clog)

thnx a million!! ;D

subfire91 · Nov 2, 2010, 9:28 PM

the command works but i cannot see any logs. i put a rule in lan from my computer to another host in another subnet to be blocked when RDP. The rule is on top of the list in order to be blocked immediately.

i type clog -f filter.log | grep and i cannot see my ip getting blocked when RDPing.

the other computer is switched off but shouldnt i see any logs? i cannot see any blocked logs on both cli and gui.

also i do tcpdump -i nfe0 | grep it doesnt work
i do tcpdump -i nfe0 only and i see a load of logs (nfe0 is the WAN interface)

finally i have a machine that is communicating with external hosts every about 3 seconds on specific port xxx.
i type tcpdump -i em1 | grep xxx doesnt show anything
i type tcpdump -i em1 only i can see it in the form of ip.xxx

All i can see in the block messages when typing clog -f filter.log | grep is this entry :

Nov 2 19:24:14 pfSense pf: 1. 194222 rule 34/0(match): block in on nfe0: (tos 0x0, ttl 64, id 6844, offset 0, flags [none], proto UDP (17), length 328) 10.1.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, hops 2, xid 0x21742300, secs 46195, Flags [none]

this is the only thing i see in the webgui also, no other blocked events are displayed except this one. This activity has being going for about a year now!!

Any one that could help?

Guest · Nov 3, 2010, 1:32 AM

Use the filtering mechanisms in tcpdump instead:

tcpdump -i em1 host some.host.ip.address

Should get you started.

http://www.tcpdump.org/tcpdump_man.html

Should help further.

subfire91 · Nov 3, 2010, 4:43 PM

tcpdump -i em1 host some.host.ip.address

didnt understand this command. Can you give an example?

But this still doesnt resolve my issues. Why clog -f command not showing any logs. Why the gui doesnt show blocked connections?

thnx

jimp · Nov 3, 2010, 4:57 PM

clog -f shows you the log.
The GUI reads the same log as clog.
If nothing shows there, nothing is being blocked and logged.
Block rules aren't set to log by default.

So either the traffic is not taking the path you expect, or it's not being logged because the rule isn't set to log.

subfire91 · Nov 3, 2010, 6:24 PM

hi jimp,

how do i set which rules to be logged in pfsense?

jimp · Nov 3, 2010, 6:29 PM

Edit the rule you want to log. Check the box to log. Save. That's it.