Strange firewall log



  • Hi, I've see that in firewall log I have some entries like this:
    Pass WIFIGUEST   127.0.0.1:3128   192.168.7.152:54430 TCP:FA
    Pass WIFIGUEST   192.168.5.90:80   192.168.7.152:54751 TCP:SA
    Pass WIFIGUEST   192.168.7.152:54740   192.168.7.254:8000 TCP:S
    Pass WIFIGUEST   173.194.x.y:443   192.168.7.152:54736 TCP:SA

    192.168.5.x is LAN
    192.168.7.x is WIFIGUEST interface

    What do they means? How can I remove them?

    Many thanks



  • Looks like you have a squid proxy running on your pfSense.

    And it looks like traffic is not blocked between guest and LAN interface. I am not sure if that is intentional - usually it is not.

    Do you want to "remove" (disallow) this traffic or do you just want to remove the log entries?



  • Traffic is blocked by two rules:
    on LAN interface -> BLOCK Source ANY destination WIFIGUEST subnet
    on WIFIGUEST interface -> BLOCK Source ANY destination RFC Address (alias for reserved IP class)

    The strange thing is that the interface is WIFIGUEST, but source is a LAN address..

    Yes, I'm running squid, how can I remove (only realted pass) from firewall log?



  • Unfortunately, I have no experience with squid and how it works with regard to pf. I just noted the typical squid port.

    i have no idea about the susupicious LAN->WIFIGUEST log entry. Perhaps a WebGUI access from the WIFIGUEST, which is allowed by some rule with higher precedence than the "block" rules.

    If you want not to log "pass" (or "block") entries, simpy uncheck "Log packets that are handled by this rule" for the corresponding rule. Firewall rules which have logging turned on are easily recognized by having an "i" in a blue circle in front of them.



  • Rules seem correct (see the attachement)



Log in to reply