Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Log every 7 minutes

    Firewalling
    6
    17
    12.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Emab
      last edited by

      My firewall Log log new events very (about) 7 minutes…

      Why?

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        What version?  And what do you mean?  The page refreshes (filter logs) like every 5 minutes.

        1 Reply Last reply Reply Quote 0
        • E
          Emab
          last edited by

          @sullrich:

          What version?  And what do you mean?  The page refreshes (filter logs) like every 5 minutes.

          Sorry forghet some details :)

          Version: 1.0-PREBETA2-BUG-VALIDATION-EDITION5
          built on Wed Jan 18 01:09:49 UTC 2006

          I mean this:

          	Jan 23 23:08:20 	NG0 	192.168.1.3:1411 	xx.xx.xx.xxx:135 	TCP
          	Jan 23 23:08:20 	NG0 	84.103.166.58:32217 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:08:20 	NG0 	82.52.43.182:1448 	xx.xx.xx.xxx:445 	TCP
          	Jan 23 23:08:20 	NG0 	82.52.43.182:1448 	xx.xx.xx.xxx:445 	TCP
          	Jan 23 23:08:20 	NG0 	86.207.198.167:4672 	xx.xx.xx.xxx:54779 	UDP
          	Jan 23 23:08:20 	NG0 	67.127.173.144:4672 	xx.xx.xx.xxx:61222 	UDP
          	Jan 23 23:08:20 	NG0 	85.72.166.251:4672 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:08:20 	NG0 	81.195.5.45:4672 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:08:20 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
          	Jan 23 23:08:20 	NG0 	84.222.145.122:4672 	xx.xx.xx.xxx:63604 	UDP
          	Jan 23 23:08:20 	NG0 	82.52.147.16:3640 	xx.xx.xx.xxx:445 	TCP
          	Jan 23 23:08:20 	NG0 	82.52.147.16:3640 	xx.xx.xx.xxx:445 	TCP
          	Jan 23 23:08:20 	NG0 	82.227.249.114:4672 	xx.xx.xx.xxx:54025 	UDP
          	Jan 23 23:03:28 	NG0 	151.37.101.211:25143 	xx.xx.xx.xxx:60651 	UDP
          	Jan 23 23:03:28 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
          	Jan 23 23:03:28 	NG0 	83.45.2.55:4672 	xx.xx.xx.xxx:59725 	UDP
          	Jan 23 23:03:28 	NG0 	62.57.244.9:4672 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:03:28 	NG0 	81.195.5.45:4672 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:03:28 	NG0 	200.71.138.253:4672 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:03:28 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
          	Jan 23 23:03:28 	NG0 	80.38.41.64:10135 	xx.xx.xx.xxx:57250 	UDP
          	Jan 23 23:03:28 	NG0 	85.50.7.235:10011 	xx.xx.xx.xxx:56395 	UDP
          	Jan 23 23:03:28 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
          	Jan 23 23:03:28 	NG0 	86.201.170.1:4175 	xx.xx.xx.xxx:54391 	UDP
          	Jan 23 23:03:28 	NG0 	82.80.151.89:6672 	xx.xx.xx.xxx:54391 	UDP
          

          This event for example are every 5 minutes, and no events between 23.03.28 and 23.08.20

          1 Reply Last reply Reply Quote 0
          • B
            billm
            last edited by

            @Emab:

            @sullrich:

            What version?  And what do you mean?  The page refreshes (filter logs) like every 5 minutes.

            Sorry forghet some details :)

            Version: 1.0-PREBETA2-BUG-VALIDATION-EDITION5
            built on Wed Jan 18 01:09:49 UTC 2006

            I mean this:

            	Jan 23 23:08:20 	NG0 	192.168.1.3:1411 	xx.xx.xx.xxx:135 	TCP
            	Jan 23 23:08:20 	NG0 	84.103.166.58:32217 	xx.xx.xx.xxx:54391 	UDP
            	Jan 23 23:08:20 	NG0 	82.52.43.182:1448 	xx.xx.xx.xxx:445 	TCP
            	Jan 23 23:08:20 	NG0 	82.52.43.182:1448 	xx.xx.xx.xxx:445 	TCP
            	Jan 23 23:08:20 	NG0 	86.207.198.167:4672 	xx.xx.xx.xxx:54779 	UDP
            	Jan 23 23:08:20 	NG0 	67.127.173.144:4672 	xx.xx.xx.xxx:61222 	UDP
            	Jan 23 23:08:20 	NG0 	85.72.166.251:4672 	xx.xx.xx.xxx:54391 	UDP
            	Jan 23 23:08:20 	NG0 	81.195.5.45:4672 	xx.xx.xx.xxx:54391 	UDP
            
            

            Looks like edonkey control traffic to me.  I'm guessing you've either had some p2p software running or (based on ng0) you've acquired someone elses dynamically assigned addres who was using some p2p software.  Looks innocuous to me.

            
            	Jan 23 23:08:20 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
            
            

            This might be pfsync, it's a little odd though seeing that on ng0.  I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?

            –Bill

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @billm:

              This might be pfsync, it's a little odd though seeing that on ng0.  I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?

              my guess would be some sort of routing protocol or failover in use by the ISP that's spewing out crap to customers where it probably shouldn't be.

              1 Reply Last reply Reply Quote 0
              • E
                Emab
                last edited by

                @billm:

                @Emab:

                @sullrich:

                What version?  And what do you mean?  The page refreshes (filter logs) like every 5 minutes.

                Sorry forghet some details :)

                Version: 1.0-PREBETA2-BUG-VALIDATION-EDITION5
                built on Wed Jan 18 01:09:49 UTC 2006

                I mean this:

                	Jan 23 23:08:20 	NG0 	192.168.1.3:1411 	xx.xx.xx.xxx:135 	TCP
                	Jan 23 23:08:20 	NG0 	84.103.166.58:32217 	xx.xx.xx.xxx:54391 	UDP
                	Jan 23 23:08:20 	NG0 	82.52.43.182:1448 	xx.xx.xx.xxx:445 	TCP
                	Jan 23 23:08:20 	NG0 	82.52.43.182:1448 	xx.xx.xx.xxx:445 	TCP
                	Jan 23 23:08:20 	NG0 	86.207.198.167:4672 	xx.xx.xx.xxx:54779 	UDP
                	Jan 23 23:08:20 	NG0 	67.127.173.144:4672 	xx.xx.xx.xxx:61222 	UDP
                	Jan 23 23:08:20 	NG0 	85.72.166.251:4672 	xx.xx.xx.xxx:54391 	UDP
                	Jan 23 23:08:20 	NG0 	81.195.5.45:4672 	xx.xx.xx.xxx:54391 	UDP
                
                

                Looks like edonkey control traffic to me.  I'm guessing you've either had some p2p software running or (based on ng0) you've acquired someone elses dynamically assigned addres who was using some p2p software.  Looks innocuous to me.

                I have a p2p machine…but the problem is not that I get this traffic, but the problem is that the traffic is logged only at interval...what appen between two interval is not logged... For example I want o log all the connection to port RDP (3389) and set the correct option in the firewall rule, but nothing is logged, becouse I can't try to connect at that port exactly in the moment that the firewall log is runnung...

                @billm:

                
                	Jan 23 23:08:20 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                
                

                This might be pfsync, it's a little odd though seeing that on ng0.  I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?

                –Bill

                192.168.100.1 is the remote router of my ISP.

                1 Reply Last reply Reply Quote 0
                • E
                  Emab
                  last edited by

                  @cmb:

                  @billm:

                  This might be pfsync, it's a little odd though seeing that on ng0.  I'm guessing something else unknown - no idea what 192.168.100.1 is, is that on your network?

                  my guess would be some sort of routing protocol or failover in use by the ISP that's spewing out crap to customers where it probably shouldn't be.

                  My problem is not the traffic logged…but the traffic that wan't logged.... as I told in my previous post...

                  What I can do?
                  I haven't this beaviour before...

                  1 Reply Last reply Reply Quote 0
                  • E
                    Emab
                    last edited by

                    For example i actvate the log option in a firewall (allow) rule, but I never get this event logged, becouse if the event is not generated in the moment in which the log run, this in not logged…

                    My log report event at interval...

                    This happen only with the latest beta...

                    Any idea to check and correct this problem?

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by

                      Please try http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-25-06/

                      Also, turn on raw logs to make sure its not appearing there and not in the normal firewall logs screen.

                      1 Reply Last reply Reply Quote 0
                      • E
                        Emab
                        last edited by

                        @sullrich:

                        Please try http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-25-06/

                        Also, turn on raw logs to make sure its not appearing there and not in the normal firewall logs screen.

                        I do the upgrade to this version…
                        ...and now no firewall log. Nothing is logged :(

                        1 Reply Last reply Reply Quote 0
                        • E
                          Emab
                          last edited by

                          Now something appear:

                          Last 100 firewall log entries
                          Act 	Time 	If 	Source 	Destination 	Proto
                          	Jan 27 00:51:52 	NG0 	198.104.137.161:48170 	xx.xx.xxx.xxx:1027 	UDP
                          	Jan 27 00:51:52 	NG0 	198.104.137.161:48170 	xx.xx.xxx.xxx:1026 	UDP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	82.54.140.92:3348 	xx.xx.xxx.xxx:139 	TCP
                          	Jan 27 00:51:52 	NG0 	82.54.140.92:2983 	xx.xx.xxx.xxx:139 	TCP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	135.94.139.51:0 	xx.xx.xxx.xxx:1025 	UDP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	41.133.149.19:0 	xx.xx.xxx.xxx:1025 	UDP
                          	Jan 27 00:51:52 	NG0 	41.133.149.19:0 	xx.xx.xxx.xxx:1026 	UDP
                          	Jan 27 00:51:52 	NG0 	202.99.172.172:43678 	xx.xx.xxx.xxx:4073 	UDP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	82.54.140.92:3286 	xx.xx.xxx.xxx:445 	TCP
                          	Jan 27 00:51:52 	NG0 	82.54.140.92:3286 	xx.xx.xxx.xxx:445 	TCP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	82.54.79.230:1561 	xx.xx.xxx.xxx:445 	TCP
                          	Jan 27 00:51:52 	NG0 	82.54.79.230:1561 	xx.xx.xxx.xxx:445 	TCP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	61.156.42.117:38680 	xx.xx.xxx.xxx:4257 	UDP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          	Jan 27 00:51:52 	NG0 	29.72.169.211:0 	xx.xx.xxx.xxx:1026 	UDP
                          	Jan 27 00:51:52 	NG0 	86.144.214.23:2814 	xx.xx.xxx.xxx:61504 	UDP
                          	Jan 27 00:51:52 	NG0 	192.168.100.1 	224.0.0.1 	IGMP
                          

                          But is impossible that all the events happen in the same second and no other event before and after.
                          And Nothing was logged if in a rule I set to log…

                          1 Reply Last reply Reply Quote 0
                          • K
                            kikawala
                            last edited by

                            I'm on the 1-25-06 snapshot and am also experiencing this issue.  Even when I set it to show raw logs and also when I log to a remote syslog server.  It seems as if the logs are being buffered and then being dumped at once with the same timestamp…

                            I've attached part of my syslog if it helps any.

                            syslog.pfsense.txt

                            1 Reply Last reply Reply Quote 0
                            • J
                              jeroen234
                              last edited by

                              you got more on the firewall tab than i get
                              on the system tab i see that that the firewall has problemes
                              also al the way to the right of the pfsense logo in the upper corner i see [object window]

                              this is on my system tab:
                              Jan 27 07:24:04 mpd: [pt0] link: DOWN event
                              Jan 27 07:24:04 mpd: [pt0] LCP: Down event
                              Jan 27 07:25:17 syslogd: exiting on signal 15
                              Jan 27 07:25:18 syslogd: kernel boot file is /boot/kernel/kernel
                              Jan 27 07:25:23 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:

                              config-pfsense.local-20060127073231.xml.txt
                              rules.debug.txt

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:

                                The above means that you have assigned an interface that is not present.

                                Re-assign you're interfaces (including VLANs)

                                1 Reply Last reply Reply Quote 0
                                • E
                                  Emab
                                  last edited by

                                  So….no news?

                                  I upfate to version: 1.0-BETA1-TESTING-SNAPSHOT-1-28-06
                                  built on Sun Jan 29 05:44:39 UTC 2006

                                  but Firewall logs still run at interval…

                                  Can I do some test to help you to find a solution?

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    Yes, we are aware of some issues.

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      Emab
                                      last edited by

                                      Ok… I wait...

                                      Thank!!

                                      Let me know if you need any test...

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.