Strange firewall log
-
Hi, I've see that in firewall log I have some entries like this:
Pass WIFIGUEST 127.0.0.1:3128 192.168.7.152:54430 TCP:FA
Pass WIFIGUEST 192.168.5.90:80 192.168.7.152:54751 TCP:SA
Pass WIFIGUEST 192.168.7.152:54740 192.168.7.254:8000 TCP:S
Pass WIFIGUEST 173.194.x.y:443 192.168.7.152:54736 TCP:SA192.168.5.x is LAN
192.168.7.x is WIFIGUEST interfaceWhat do they means? How can I remove them?
Many thanks
-
Looks like you have a squid proxy running on your pfSense.
And it looks like traffic is not blocked between guest and LAN interface. I am not sure if that is intentional - usually it is not.
Do you want to "remove" (disallow) this traffic or do you just want to remove the log entries?
-
Traffic is blocked by two rules:
on LAN interface -> BLOCK Source ANY destination WIFIGUEST subnet
on WIFIGUEST interface -> BLOCK Source ANY destination RFC Address (alias for reserved IP class)The strange thing is that the interface is WIFIGUEST, but source is a LAN address..
Yes, I'm running squid, how can I remove (only realted pass) from firewall log?
-
Unfortunately, I have no experience with squid and how it works with regard to pf. I just noted the typical squid port.
i have no idea about the susupicious LAN->WIFIGUEST log entry. Perhaps a WebGUI access from the WIFIGUEST, which is allowed by some rule with higher precedence than the "block" rules.
If you want not to log "pass" (or "block") entries, simpy uncheck "Log packets that are handled by this rule" for the corresponding rule. Firewall rules which have logging turned on are easily recognized by having an "i" in a blue circle in front of them.
-
Rules seem correct (see the attachement)
