Firewall Log every 7 minutes
-
My firewall Log log new events very (about) 7 minutes…
Why?
-
What version? And what do you mean? The page refreshes (filter logs) like every 5 minutes.
-
What version? And what do you mean? The page refreshes (filter logs) like every 5 minutes.
Sorry forghet some details :)
Version: 1.0-PREBETA2-BUG-VALIDATION-EDITION5
built on Wed Jan 18 01:09:49 UTC 2006I mean this:
Jan 23 23:08:20 NG0 192.168.1.3:1411 xx.xx.xx.xxx:135 TCP Jan 23 23:08:20 NG0 84.103.166.58:32217 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 82.52.43.182:1448 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 82.52.43.182:1448 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 86.207.198.167:4672 xx.xx.xx.xxx:54779 UDP Jan 23 23:08:20 NG0 67.127.173.144:4672 xx.xx.xx.xxx:61222 UDP Jan 23 23:08:20 NG0 85.72.166.251:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 81.195.5.45:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 192.168.100.1 224.0.0.1 IGMP Jan 23 23:08:20 NG0 84.222.145.122:4672 xx.xx.xx.xxx:63604 UDP Jan 23 23:08:20 NG0 82.52.147.16:3640 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 82.52.147.16:3640 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 82.227.249.114:4672 xx.xx.xx.xxx:54025 UDP Jan 23 23:03:28 NG0 151.37.101.211:25143 xx.xx.xx.xxx:60651 UDP Jan 23 23:03:28 NG0 192.168.100.1 224.0.0.1 IGMP Jan 23 23:03:28 NG0 83.45.2.55:4672 xx.xx.xx.xxx:59725 UDP Jan 23 23:03:28 NG0 62.57.244.9:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:03:28 NG0 81.195.5.45:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:03:28 NG0 200.71.138.253:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:03:28 NG0 192.168.100.1 224.0.0.1 IGMP Jan 23 23:03:28 NG0 80.38.41.64:10135 xx.xx.xx.xxx:57250 UDP Jan 23 23:03:28 NG0 85.50.7.235:10011 xx.xx.xx.xxx:56395 UDP Jan 23 23:03:28 NG0 192.168.100.1 224.0.0.1 IGMP Jan 23 23:03:28 NG0 86.201.170.1:4175 xx.xx.xx.xxx:54391 UDP Jan 23 23:03:28 NG0 82.80.151.89:6672 xx.xx.xx.xxx:54391 UDPThis event for example are every 5 minutes, and no events between 23.03.28 and 23.08.20
-
What version? And what do you mean? The page refreshes (filter logs) like every 5 minutes.
Sorry forghet some details :)
Version: 1.0-PREBETA2-BUG-VALIDATION-EDITION5
built on Wed Jan 18 01:09:49 UTC 2006I mean this:
Jan 23 23:08:20 NG0 192.168.1.3:1411 xx.xx.xx.xxx:135 TCP Jan 23 23:08:20 NG0 84.103.166.58:32217 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 82.52.43.182:1448 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 82.52.43.182:1448 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 86.207.198.167:4672 xx.xx.xx.xxx:54779 UDP Jan 23 23:08:20 NG0 67.127.173.144:4672 xx.xx.xx.xxx:61222 UDP Jan 23 23:08:20 NG0 85.72.166.251:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 81.195.5.45:4672 xx.xx.xx.xxx:54391 UDPLooks like edonkey control traffic to me. I'm guessing you've either had some p2p software running or (based on ng0) you've acquired someone elses dynamically assigned addres who was using some p2p software. Looks innocuous to me.
Jan 23 23:08:20 NG0 192.168.100.1 224.0.0.1 IGMPThis might be pfsync, it's a little odd though seeing that on ng0. I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?
–Bill
-
This might be pfsync, it's a little odd though seeing that on ng0. I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?
my guess would be some sort of routing protocol or failover in use by the ISP that's spewing out crap to customers where it probably shouldn't be.
-
What version? And what do you mean? The page refreshes (filter logs) like every 5 minutes.
Sorry forghet some details :)
Version: 1.0-PREBETA2-BUG-VALIDATION-EDITION5
built on Wed Jan 18 01:09:49 UTC 2006I mean this:
Jan 23 23:08:20 NG0 192.168.1.3:1411 xx.xx.xx.xxx:135 TCP Jan 23 23:08:20 NG0 84.103.166.58:32217 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 82.52.43.182:1448 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 82.52.43.182:1448 xx.xx.xx.xxx:445 TCP Jan 23 23:08:20 NG0 86.207.198.167:4672 xx.xx.xx.xxx:54779 UDP Jan 23 23:08:20 NG0 67.127.173.144:4672 xx.xx.xx.xxx:61222 UDP Jan 23 23:08:20 NG0 85.72.166.251:4672 xx.xx.xx.xxx:54391 UDP Jan 23 23:08:20 NG0 81.195.5.45:4672 xx.xx.xx.xxx:54391 UDPLooks like edonkey control traffic to me. I'm guessing you've either had some p2p software running or (based on ng0) you've acquired someone elses dynamically assigned addres who was using some p2p software. Looks innocuous to me.
I have a p2p machine…but the problem is not that I get this traffic, but the problem is that the traffic is logged only at interval...what appen between two interval is not logged... For example I want o log all the connection to port RDP (3389) and set the correct option in the firewall rule, but nothing is logged, becouse I can't try to connect at that port exactly in the moment that the firewall log is runnung...
Jan 23 23:08:20 NG0 192.168.100.1 224.0.0.1 IGMPThis might be pfsync, it's a little odd though seeing that on ng0. I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?
–Bill
192.168.100.1 is the remote router of my ISP.
-
@cmb:
This might be pfsync, it's a little odd though seeing that on ng0. I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?
my guess would be some sort of routing protocol or failover in use by the ISP that's spewing out crap to customers where it probably shouldn't be.
My problem is not the traffic logged…but the traffic that wan't logged.... as I told in my previous post...
What I can do?
I haven't this beaviour before... -
For example i actvate the log option in a firewall (allow) rule, but I never get this event logged, becouse if the event is not generated in the moment in which the log run, this in not logged…
My log report event at interval...
This happen only with the latest beta...
Any idea to check and correct this problem?
-
Please try http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-25-06/
Also, turn on raw logs to make sure its not appearing there and not in the normal firewall logs screen.
-
Please try http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-25-06/
Also, turn on raw logs to make sure its not appearing there and not in the normal firewall logs screen.
I do the upgrade to this version…
...and now no firewall log. Nothing is logged :( -
Now something appear:
Last 100 firewall log entries Act Time If Source Destination Proto Jan 27 00:51:52 NG0 198.104.137.161:48170 xx.xx.xxx.xxx:1027 UDP Jan 27 00:51:52 NG0 198.104.137.161:48170 xx.xx.xxx.xxx:1026 UDP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 82.54.140.92:3348 xx.xx.xxx.xxx:139 TCP Jan 27 00:51:52 NG0 82.54.140.92:2983 xx.xx.xxx.xxx:139 TCP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 135.94.139.51:0 xx.xx.xxx.xxx:1025 UDP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 41.133.149.19:0 xx.xx.xxx.xxx:1025 UDP Jan 27 00:51:52 NG0 41.133.149.19:0 xx.xx.xxx.xxx:1026 UDP Jan 27 00:51:52 NG0 202.99.172.172:43678 xx.xx.xxx.xxx:4073 UDP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 82.54.140.92:3286 xx.xx.xxx.xxx:445 TCP Jan 27 00:51:52 NG0 82.54.140.92:3286 xx.xx.xxx.xxx:445 TCP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 82.54.79.230:1561 xx.xx.xxx.xxx:445 TCP Jan 27 00:51:52 NG0 82.54.79.230:1561 xx.xx.xxx.xxx:445 TCP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 61.156.42.117:38680 xx.xx.xxx.xxx:4257 UDP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMP Jan 27 00:51:52 NG0 29.72.169.211:0 xx.xx.xxx.xxx:1026 UDP Jan 27 00:51:52 NG0 86.144.214.23:2814 xx.xx.xxx.xxx:61504 UDP Jan 27 00:51:52 NG0 192.168.100.1 224.0.0.1 IGMPBut is impossible that all the events happen in the same second and no other event before and after.
And Nothing was logged if in a rule I set to log… -
I'm on the 1-25-06 snapshot and am also experiencing this issue. Even when I set it to show raw logs and also when I log to a remote syslog server. It seems as if the logs are being buffered and then being dumped at once with the same timestamp…
I've attached part of my syslog if it helps any.
-
you got more on the firewall tab than i get
on the system tab i see that that the firewall has problemes
also al the way to the right of the pfsense logo in the upper corner i see [object window]this is on my system tab:
Jan 27 07:24:04 mpd: [pt0] link: DOWN event
Jan 27 07:24:04 mpd: [pt0] LCP: Down event
Jan 27 07:25:17 syslogd: exiting on signal 15
Jan 27 07:25:18 syslogd: kernel boot file is /boot/kernel/kernel
Jan 27 07:25:23 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]: -
There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
The above means that you have assigned an interface that is not present.
Re-assign you're interfaces (including VLANs)
-
So….no news?
I upfate to version: 1.0-BETA1-TESTING-SNAPSHOT-1-28-06
built on Sun Jan 29 05:44:39 UTC 2006but Firewall logs still run at interval…
Can I do some test to help you to find a solution?
-
Yes, we are aware of some issues.
-
Ok… I wait...
Thank!!
Let me know if you need any test...