Zabbix firewall log - don't want these.



  • I've setup zabbix2-agent-2.0.4 pkg v0.6_3 on pfSense 2.01 and it seems that there is an auto-createded firewall rule to pass the traffic and log the connections: "@19 pass out log quick on em2 proto tcp all flags any keep state (sloppy)" that logs each connection from the zabbix server.  Is there any way to filter or stop the logging of these messages (on LAN interface).  Thanks.



  • The Zabbix agent package doesn't create any firewall rules that I've ever seen. The entry you posted looks like whatever interface em2 is on your box has a pass all tcp rule with logging turned on. Can you post a screenshot of your firewall rules for that interface?


  • Rebel Alliance Developer Netgate

    There isn't anything in the zabbix agent package code capable of adding a firewall rule.

    Given the parameters on that rule it would have to be on the Floating tab



  • Part One of Two Part Reply.  Images attached.














  • Part Two of Two Part Reply.  Images attached.













  • Rebel Alliance Developer Netgate

    post the full /tmp/rules.debug file.



  • SNIPped out for Privacy:
        SNIP-External-GW              WAN Gateway IP address
        SNIP-Internal-Wireless-GW    Gateway IP of internal Wireless AP
        SNIP-INT-SEC-ZABBIX-SVR      ZABBIX server on LAN network
        SNIP-ZABBIX-121-NAT          ZABBIX server 1:1 NAT IP
        SNIP-INT-Personal-PC          My PC on LAN network
        SNIP-Personal-PC-121-NAT      My PC 1:1 NAT IP
        SNIP-LAN-NET                  LAN network space
        SNIP-Wireless-NET            Wireless network space
        SNIP-IPSEC-NET                IPSEC network space
        SNIP-OpenVPN-NET              OpenVPN network space
        SNIP-LAN-2-WAN-PAT            PAT IP for internal devices (other that 1:1) (used for Dansguardian also)
        SNIP-pfSense-INTERAL-IP      IP address of pfSense LAN interface
        SNIP-SIP-RTP-GW              VoIP Gateway
        SNIP-CORP-VPN-NET            Corporate VPN network space (external)
        SNIP-EXTERNAL-NET            External (WAN) connected space
        SNIP-EXTERNAL-NET-BCAST      Broadcast address of WAN connected space

    #System aliases

    loopback = "{ lo0 }"
    WAN = "{ em0 }"
    LAN = "{ em2 }"
    IPsec = "{ enc0 }"
    OpenVPN = "{ openvpn }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot># User Aliases
    table <pfblockerafrica>persist file "/var/db/aliastables/pfBlockerAfrica.txt"
    pfBlockerAfrica = "<pfblockerafrica>"
    table <pfblockerasia>persist file "/var/db/aliastables/pfBlockerAsia.txt"
    pfBlockerAsia = "<pfblockerasia>"
    table <pfblockereurope>persist file "/var/db/aliastables/pfBlockerEurope.txt"
    pfBlockerEurope = "<pfblockereurope>"
    table <pfblockernorthamerica>persist file "/var/db/aliastables/pfBlockerNorthAmerica.txt"
    pfBlockerNorthAmerica = "<pfblockernorthamerica>"
    table <pfblockeroceania>persist file "/var/db/aliastables/pfBlockerOceania.txt"
    pfBlockerOceania = "<pfblockeroceania>"
    table <pfblockersouthamerica>persist file "/var/db/aliastables/pfBlockerSouthAmerica.txt"
    pfBlockerSouthAmerica = "<pfblockersouthamerica>"
    table <pfblockerads>persist file "/var/db/aliastables/pfBlockerads.txt"
    pfBlockerads = "<pfblockerads>"
    table <pfblockerdshield>persist file "/var/db/aliastables/pfBlockerdshield.txt"
    pfBlockerdshield = "<pfblockerdshield>"
    table <pfblockerspyware>persist file "/var/db/aliastables/pfBlockerspyware.txt"
    pfBlockerspyware = "<pfblockerspyware>"
    table <pfblockerhijacked>persist file "/var/db/aliastables/pfBlockerhijacked.txt"
    pfBlockerhijacked = "<pfblockerhijacked>"
    table <pfblockermicrosoft>persist file "/var/db/aliastables/pfBlockerMicrosoft.txt"
    pfBlockerMicrosoft = "<pfblockermicrosoft>"
    table <pfblockermalc0de>persist file "/var/db/aliastables/pfBlockermalc0de.txt"
    pfBlockermalc0de = "<pfblockermalc0de>"
    table <pfblockeropenproxy>persist file "/var/db/aliastables/pfBlockeropenproxy.txt"
    pfBlockeropenproxy = "<pfblockeropenproxy>"
    table <pfblockermaliciousciarmy>persist file "/var/db/aliastables/pfBlockerMaliciousciarmy.txt"
    pfBlockerMaliciousciarmy = "<pfblockermaliciousciarmy>"
    table <snort_wan_whitelist>{  SNIP  SNIP  SNIP }
    snort_WAN_Whitelist = "<snort_wan_whitelist>"

    Gateways

    GWWANGW = " route-to ( em0 SNIP-External-GW ) "
    GWWRT54GL = " route-to ( em2 SNIP-Internal-Wireless-GW ) "

    set loginterface em2
    set optimization normal
    set limit states 95000
    set limit src-nodes 95000

    set skip on pfsync0

    altq on  em0 hfsc bandwidth 98Mb queue {  qACK,  qDefault,  qVoIP,  qDNS,  qVPN  }
    queue qACK on em0 bandwidth 20% hfsc (  ecn  ,  realtime 20% , linkshare 20%  ) 
    queue qDefault on em0 bandwidth 30% hfsc (  ecn  , default  ) 
    queue qVoIP on em0 bandwidth 5% hfsc (  realtime 5% ) 
    queue qDNS on em0 bandwidth 5% hfsc (  realtime 5% , linkshare 5%  ) 
    queue qVPN on em0 bandwidth 20% hfsc (  realtime 20% , linkshare 20%  )

    altq on  em2 hfsc queue {  qACK,  qDefault,  qVoIP  }
    queue qACK on em2 bandwidth 20% hfsc (  realtime 20% , linkshare 20%  ) 
    queue qDefault on em2 bandwidth 75% hfsc (  ecn  , default  ,  realtime 1% , linkshare 75%  ) 
    queue qVoIP on em2 bandwidth 5% hfsc (  realtime 5% )

    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    binat on em0 from SNIP-INT-SEC-ZABBIX-SVR to any -> SNIP-ZABBIX-121-NAT
    binat on em0 from SNIP-INT-Personal-PC to any -> SNIP-Personal-PC-121-NAT

    Outbound NAT rules

    nat on $WAN  from SNIP-INT-Personal-PC/32 to any -> SNIP-Personal-PC-121-NAT/32 port 1024:65535 
    nat on $WAN  from SNIP-INT-SEC-ZABBIX-SVR/32 to any -> SNIP-ZABBIX-121-NAT/32  static-port
    nat on $WAN  from SNIP-LAN-NET/24 to any port 500 -> SNIP-LAN-2-WAN-PAT/32  static-port
    nat on $WAN  from SNIP-LAN-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
    nat on $WAN  from SNIP-Wireless-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
    nat on $WAN  from 127.0.0.0/8 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
    nat on $WAN  from SNIP-IPSEC-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
    nat on $WAN  from SNIP-OpenVPN-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <vpn_networks>{ SNIP-OpenVPN-NET/24 }
    table <negate_networks>{ SNIP-EXTERNAL-NET/24 SNIP-LAN-NET/24  SNIP-OpenVPN-NET/24 }

    NAT Inbound Redirects

    rdr on em2 proto tcp from any to any port 80 -> SNIP-pfSense-INTERAL-IP port 8080
    no nat on em2 proto tcp from (em2) to SNIP-LAN-NET/24
    nat on em2 proto tcp from SNIP-LAN-NET/24 to SNIP-pfSense-INTERAL-IP port 80 -> (em2)

    havp proxy ifaces redirect

    rdr on lo0 proto tcp from any to (lo0) port 3125 -> lo0 port 3125

    Setup Sipproxd proxy redirect

    rdr on em2 proto udp from any to !(em2) port 5060 -> 127.0.0.1 port 5060

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    Snort package

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    block in log quick proto carp from (self) to any
    pass quick proto carp
    pass quick proto pfsync

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port SNIP label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port SNIP label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    pass in log quick on { em2 } proto tcp from any to { SNIP-pfSense-INTERAL-IP } port { 8000 8001 } keep state(sloppy)
    pass out log quick on { em2 } proto tcp from any to any flags any keep state(sloppy)
    table <bogons>persist file "/etc/bogons"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for em0

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    antispoof for em2

    allow access to DHCP server on LAN

    pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $LAN proto udp from any port = 68 to SNIP-pfSense-INTERAL-IP port = 67 label "allow access to DHCP server"
    pass out quick on $LAN proto udp from SNIP-pfSense-INTERAL-IP port = 67 to any port = 68 label "allow access to DHCP server"

    loopback

    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 SNIP-External-GW ) from SNIP-LAN-2-WAN-PAT to !SNIP-EXTERNAL-NET/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out on $IPsec all keep state label "IPsec internal host to host"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on em2 proto tcp from any to (em2) port { SNIP SNIP  SNIP } keep state label "anti-lockout rule"

    User-defined rules follow

    anchor "userrules/*"
    match  quick  on {  em0  }  proto { tcp udp }  from any to  SNIP-SIP-RTP-GW  queue (qVoIP,qACK)  label "USER_RULE: SIP"
    match  on {  em0  }  proto { tcp udp }  from any to any port 53  queue (qDNS,qACK)  label "USER_RULE: DNS"
    match  quick  on {  em0  }  from any to  SNIP-CORP-VPN-NET/24  queue (qVPN,qACK)  label "USER_RULE: VPN"
    pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto udp  from  SNIP-SIP-RTP-GW to SNIP-LAN-2-WAN-PAT keep state  label "USER_RULE: All SIP and RTP from Acme"
    block  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto { tcp udp }  from  SNIP-EXTERNAL-NET/24 to  SNIP-EXTERNAL-NET-BCAST  label "USER_RULE: Don't log to broadcast address from own subnet"
    block  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto { tcp udp }  from  SNIP-EXTERNAL-NET/24 to  255.255.255.255  label "USER_RULE: Don't log to broadcast address from own subnet"
    block  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto udp  from any to  239.255.255.250 port 1900  label "USER_RULE: Don't log SSDP broadcasts"
    pass  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to SNIP-LAN-2-WAN-PAT port SNIP  flags S/SA keep state  label "USER_RULE: ssh to firewall"
    pass  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to  SNIP-INT-Personal-PC port 22  flags S/SA keep state  label "USER_RULE: ssh to PC"
    pass  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to  SNIP-INT-SEC-ZABBIX-SVR port 22  flags S/SA keep state  label "USER_RULE: ssh to SEC"
    pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to  SNIP-INT-SEC-ZABBIX-SVR port 10049 >< 10052  flags S/SA keep state  label "USER_RULE: zabbix to SEC"
    pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto udp  from any to SNIP-LAN-2-WAN-PAT port 1194  keep state  label "USER_RULE: OpenVPN CJ Work OpenVPN wizard"
    pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto { tcp udp }  from any to SNIP-LAN-2-WAN-PAT port 500  keep state  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerAfrica to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerAsia to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerEurope to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerNorthAmerica to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerOceania to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerSouthAmerica to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerads to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerdshield to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerhijacked to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockermalc0de to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockeropenproxy to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerMaliciousciarmy to any  label "USER_RULE"
    block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerspyware to any  label "USER_RULE"
    pass  in  quick  on $LAN  from  SNIP-Wireless-NET/24 to  SNIP-pfSense-INTERAL-IP keep state  label "USER_RULE: Wireless to Gateway OK"
    block return  in log  quick  on $LAN  from  SNIP-Wireless-NET/24 to  SNIP-LAN-NET/24  label "USER_RULE: Wireless to Work LAN not OK"
    pass  in  quick  on $LAN  proto tcp  from any to any port 43  flags S/SA keep state  label "USER_RULE: WHOIS Anywhere"
    pass  in  quick  on $LAN  proto tcp  from any to any port 873  flags S/SA keep state  label "USER_RULE: rsync Anywhere"
    pass  in  quick  on $LAN  proto { tcp udp }  from any to  91.198.117.0/24 keep state  label "USER_RULE: Secunia"
    pass  in  quick  on $LAN  proto tcp  from any to  83.145.197.2 port 443  flags S/SA keep state  label "USER_RULE: myWOT"
    pass  in  quick  on $LAN  proto { tcp udp }  from any to  91.190.218.0/24 keep state  label "USER_RULE: Skype"
    pass  in  quick  on $LAN  from any to  80.237.253.182 keep state  label "USER_RULE: Cloudfogger"
    block return  in log  quick  on $LAN  from any to  $pfBlockerAfrica  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerAsia  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerEurope  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerOceania  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerSouthAmerica  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerads  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerdshield  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerhijacked  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockermalc0de  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerspyware  label "USER_RULE"
    block return  in log  quick  on $LAN  from any to  $pfBlockerMaliciousciarmy  label "USER_RULE"
    pass  in  quick  on $LAN  proto tcp  from any to  SNIP-pfSense-INTERAL-IP port 8080  label "USER_RULE: NAT Dansguardian"
    pass  in  quick  on $LAN  proto tcp  from any to  SNIP-pfSense-INTERAL-IP port 8080  label "USER_RULE: NAT Dansguardian HTTPS"
    pass  in  quick  on $LAN  from SNIP-LAN-NET/24 to any keep state  queue (qDefault,qACK)  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $LAN  from  SNIP-Wireless-NET/24 to any keep state  queue (qDefault,qACK)  label "USER_RULE: Default allow Wireless to any rule"
    pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN CJ Work OpenVPN wizard"

    VPN Rules

    pass out on $WAN  route-to ( em0 SNIP-External-GW )  proto udp from any to  any  port = 500 keep state label "IPsec: IPSECPHASE1 - outbound isakmp"
    pass in on $WAN  reply-to ( em0 SNIP-External-GW )  proto udp from  any  to any port = 500 keep state label "IPsec: IPSECPHASE1 - inbound isakmp"
    pass out on $WAN  route-to ( em0 SNIP-External-GW )  proto udp from any to  any  port = 4500 keep state label "IPsec: IPSECPHASE1 - outbound nat-t"
    pass in on $WAN  reply-to ( em0 SNIP-External-GW )  proto udp from  any  to any port = 4500 keep state label "IPsec: IPSECPHASE1 - inbound nat-t"
    pass out on $WAN  route-to ( em0 SNIP-External-GW )  proto esp from any to  any  keep state label "IPsec: IPSECPHASE1 - outbound esp proto"
    pass in on $WAN  reply-to ( em0 SNIP-External-GW )  proto esp from  any  to any keep state label "IPsec: IPSECPHASE1 - inbound esp proto"
    anchor "tftp-proxy/*"

    havp proxy ifaces rules

    allow SIP signaling and RTP traffic

    pass in on em2 proto udp from any to any port = 5060
    pass in on em2 proto udp from any to any port 10000:19999</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></snort_wan_whitelist></snort_wan_whitelist></pfblockermaliciousciarmy></pfblockermaliciousciarmy></pfblockeropenproxy></pfblockeropenproxy></pfblockermalc0de></pfblockermalc0de></pfblockermicrosoft></pfblockermicrosoft></pfblockerhijacked></pfblockerhijacked></pfblockerspyware></pfblockerspyware></pfblockerdshield></pfblockerdshield></pfblockerads></pfblockerads></pfblockersouthamerica></pfblockersouthamerica></pfblockeroceania></pfblockeroceania></pfblockernorthamerica></pfblockernorthamerica></pfblockereurope></pfblockereurope></pfblockerasia></pfblockerasia></pfblockerafrica></pfblockerafrica></virusprot></snort2c></webconfiguratorlockout></sshlockout>


  • Rebel Alliance Developer Netgate

    Those firewall lines appear to be related to the captive portal, but I don't see in the source where it's set to log those lines on 2.1.

    On 2.0.x it may have been tied to the default deny rule logging.

    You can always edit /etc/inc/filter.inc, find those lines (search for sloppy, it's the 5-6 hit or so) and remove "{$log}" from the lines.



  • That did it!  Thank you so much.


Log in to reply