Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange firewall log

    Firewalling
    2
    5
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gabri.91
      last edited by

      Hi, I've see that in firewall log I have some entries like this:
      Pass WIFIGUEST   127.0.0.1:3128   192.168.7.152:54430 TCP:FA
      Pass WIFIGUEST   192.168.5.90:80   192.168.7.152:54751 TCP:SA
      Pass WIFIGUEST   192.168.7.152:54740   192.168.7.254:8000 TCP:S
      Pass WIFIGUEST   173.194.x.y:443   192.168.7.152:54736 TCP:SA

      192.168.5.x is LAN
      192.168.7.x is WIFIGUEST interface

      What do they means? How can I remove them?

      Many thanks

      1 Reply Last reply Reply Quote 0
      • K
        Klaws
        last edited by

        Looks like you have a squid proxy running on your pfSense.

        And it looks like traffic is not blocked between guest and LAN interface. I am not sure if that is intentional - usually it is not.

        Do you want to "remove" (disallow) this traffic or do you just want to remove the log entries?

        1 Reply Last reply Reply Quote 0
        • G
          Gabri.91
          last edited by

          Traffic is blocked by two rules:
          on LAN interface -> BLOCK Source ANY destination WIFIGUEST subnet
          on WIFIGUEST interface -> BLOCK Source ANY destination RFC Address (alias for reserved IP class)

          The strange thing is that the interface is WIFIGUEST, but source is a LAN address..

          Yes, I'm running squid, how can I remove (only realted pass) from firewall log?

          1 Reply Last reply Reply Quote 0
          • K
            Klaws
            last edited by

            Unfortunately, I have no experience with squid and how it works with regard to pf. I just noted the typical squid port.

            i have no idea about the susupicious LAN->WIFIGUEST log entry. Perhaps a WebGUI access from the WIFIGUEST, which is allowed by some rule with higher precedence than the "block" rules.

            If you want not to log "pass" (or "block") entries, simpy uncheck "Log packets that are handled by this rule" for the corresponding rule. Firewall rules which have logging turned on are easily recognized by having an "i" in a blue circle in front of them.

            1 Reply Last reply Reply Quote 0
            • G
              Gabri.91
              last edited by

              Rules seem correct (see the attachement)

              Rules.PNG
              Rules.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.