Zabbix firewall log - don't want these.

cejennings

I've setup zabbix2-agent-2.0.4 pkg v0.6_3 on pfSense 2.01 and it seems that there is an auto-createded firewall rule to pass the traffic and log the connections: "@19 pass out log quick on em2 proto tcp all flags any keep state (sloppy)" that logs each connection from the zabbix server.  Is there any way to filter or stop the logging of these messages (on LAN interface).  Thanks.

DigitalDeviant

The Zabbix agent package doesn't create any firewall rules that I've ever seen. The entry you posted looks like whatever interface em2 is on your box has a pass all tcp rule with logging turned on. Can you post a screenshot of your firewall rules for that interface?

jimp

There isn't anything in the zabbix agent package code capable of adding a firewall rule.

Given the parameters on that rule it would have to be on the Floating tab

cejennings

Part One of Two Part Reply.  Images attached.

cejennings

Part Two of Two Part Reply.  Images attached.

jimp

post the full /tmp/rules.debug file.

cejennings

SNIPped out for Privacy:
    SNIP-External-GW              WAN Gateway IP address
    SNIP-Internal-Wireless-GW    Gateway IP of internal Wireless AP
    SNIP-INT-SEC-ZABBIX-SVR      ZABBIX server on LAN network
    SNIP-ZABBIX-121-NAT          ZABBIX server 1:1 NAT IP
    SNIP-INT-Personal-PC          My PC on LAN network
    SNIP-Personal-PC-121-NAT      My PC 1:1 NAT IP
    SNIP-LAN-NET                  LAN network space
    SNIP-Wireless-NET            Wireless network space
    SNIP-IPSEC-NET                IPSEC network space
    SNIP-OpenVPN-NET              OpenVPN network space
    SNIP-LAN-2-WAN-PAT            PAT IP for internal devices (other that 1:1) (used for Dansguardian also)
    SNIP-pfSense-INTERAL-IP      IP address of pfSense LAN interface
    SNIP-SIP-RTP-GW              VoIP Gateway
    SNIP-CORP-VPN-NET            Corporate VPN network space (external)
    SNIP-EXTERNAL-NET            External (WAN) connected space
    SNIP-EXTERNAL-NET-BCAST      Broadcast address of WAN connected space

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em2 }"
IPsec = "{ enc0 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases
table <pfblockerafrica>persist file "/var/db/aliastables/pfBlockerAfrica.txt"
pfBlockerAfrica = "<pfblockerafrica>"
table <pfblockerasia>persist file "/var/db/aliastables/pfBlockerAsia.txt"
pfBlockerAsia = "<pfblockerasia>"
table <pfblockereurope>persist file "/var/db/aliastables/pfBlockerEurope.txt"
pfBlockerEurope = "<pfblockereurope>"
table <pfblockernorthamerica>persist file "/var/db/aliastables/pfBlockerNorthAmerica.txt"
pfBlockerNorthAmerica = "<pfblockernorthamerica>"
table <pfblockeroceania>persist file "/var/db/aliastables/pfBlockerOceania.txt"
pfBlockerOceania = "<pfblockeroceania>"
table <pfblockersouthamerica>persist file "/var/db/aliastables/pfBlockerSouthAmerica.txt"
pfBlockerSouthAmerica = "<pfblockersouthamerica>"
table <pfblockerads>persist file "/var/db/aliastables/pfBlockerads.txt"
pfBlockerads = "<pfblockerads>"
table <pfblockerdshield>persist file "/var/db/aliastables/pfBlockerdshield.txt"
pfBlockerdshield = "<pfblockerdshield>"
table <pfblockerspyware>persist file "/var/db/aliastables/pfBlockerspyware.txt"
pfBlockerspyware = "<pfblockerspyware>"
table <pfblockerhijacked>persist file "/var/db/aliastables/pfBlockerhijacked.txt"
pfBlockerhijacked = "<pfblockerhijacked>"
table <pfblockermicrosoft>persist file "/var/db/aliastables/pfBlockerMicrosoft.txt"
pfBlockerMicrosoft = "<pfblockermicrosoft>"
table <pfblockermalc0de>persist file "/var/db/aliastables/pfBlockermalc0de.txt"
pfBlockermalc0de = "<pfblockermalc0de>"
table <pfblockeropenproxy>persist file "/var/db/aliastables/pfBlockeropenproxy.txt"
pfBlockeropenproxy = "<pfblockeropenproxy>"
table <pfblockermaliciousciarmy>persist file "/var/db/aliastables/pfBlockerMaliciousciarmy.txt"
pfBlockerMaliciousciarmy = "<pfblockermaliciousciarmy>"
table <snort_wan_whitelist>{  SNIP  SNIP  SNIP }
snort_WAN_Whitelist = "<snort_wan_whitelist>"

Gateways

GWWANGW = " route-to ( em0 SNIP-External-GW ) "
GWWRT54GL = " route-to ( em2 SNIP-Internal-Wireless-GW ) "

set loginterface em2
set optimization normal
set limit states 95000
set limit src-nodes 95000

set skip on pfsync0

altq on  em0 hfsc bandwidth 98Mb queue {  qACK,  qDefault,  qVoIP,  qDNS,  qVPN  }
queue qACK on em0 bandwidth 20% hfsc (  ecn  ,  realtime 20% , linkshare 20%  ) 
queue qDefault on em0 bandwidth 30% hfsc (  ecn  , default  ) 
queue qVoIP on em0 bandwidth 5% hfsc (  realtime 5% ) 
queue qDNS on em0 bandwidth 5% hfsc (  realtime 5% , linkshare 5%  ) 
queue qVPN on em0 bandwidth 20% hfsc (  realtime 20% , linkshare 20%  )

altq on  em2 hfsc queue {  qACK,  qDefault,  qVoIP  }
queue qACK on em2 bandwidth 20% hfsc (  realtime 20% , linkshare 20%  ) 
queue qDefault on em2 bandwidth 75% hfsc (  ecn  , default  ,  realtime 1% , linkshare 75%  ) 
queue qVoIP on em2 bandwidth 5% hfsc (  realtime 5% )

no nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"

binat on em0 from SNIP-INT-SEC-ZABBIX-SVR to any -> SNIP-ZABBIX-121-NAT
binat on em0 from SNIP-INT-Personal-PC to any -> SNIP-Personal-PC-121-NAT

Outbound NAT rules

nat on $WAN  from SNIP-INT-Personal-PC/32 to any -> SNIP-Personal-PC-121-NAT/32 port 1024:65535 
nat on $WAN  from SNIP-INT-SEC-ZABBIX-SVR/32 to any -> SNIP-ZABBIX-121-NAT/32  static-port
nat on $WAN  from SNIP-LAN-NET/24 to any port 500 -> SNIP-LAN-2-WAN-PAT/32  static-port
nat on $WAN  from SNIP-LAN-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
nat on $WAN  from SNIP-Wireless-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
nat on $WAN  from 127.0.0.0/8 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
nat on $WAN  from SNIP-IPSEC-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535 
nat on $WAN  from SNIP-OpenVPN-NET/24 to any -> SNIP-LAN-2-WAN-PAT/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <vpn_networks>{ SNIP-OpenVPN-NET/24 }
table <negate_networks>{ SNIP-EXTERNAL-NET/24 SNIP-LAN-NET/24  SNIP-OpenVPN-NET/24 }

NAT Inbound Redirects

rdr on em2 proto tcp from any to any port 80 -> SNIP-pfSense-INTERAL-IP port 8080
no nat on em2 proto tcp from (em2) to SNIP-LAN-NET/24
nat on em2 proto tcp from SNIP-LAN-NET/24 to SNIP-pfSense-INTERAL-IP port 80 -> (em2)

havp proxy ifaces redirect

rdr on lo0 proto tcp from any to (lo0) port 3125 -> lo0 port 3125

Setup Sipproxd proxy redirect

rdr on em2 proto udp from any to !(em2) port 5060 -> 127.0.0.1 port 5060

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

Snort package

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
block in log quick proto carp from (self) to any
pass quick proto carp
pass quick proto pfsync

SSH lockout

block in log quick proto tcp from <sshlockout>to any port SNIP label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to any port SNIP label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
pass in log quick on { em2 } proto tcp from any to { SNIP-pfSense-INTERAL-IP } port { 8000 8001 } keep state(sloppy)
pass out log quick on { em2 } proto tcp from any to any flags any keep state(sloppy)
table <bogons>persist file "/etc/bogons"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for em0

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for em2

allow access to DHCP server on LAN

pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to SNIP-pfSense-INTERAL-IP port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from SNIP-pfSense-INTERAL-IP port = 67 to any port = 68 label "allow access to DHCP server"

loopback

pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 SNIP-External-GW ) from SNIP-LAN-2-WAN-PAT to !SNIP-EXTERNAL-NET/24 keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"

make sure the user cannot lock himself out of the webConfigurator or SSH

pass in quick on em2 proto tcp from any to (em2) port { SNIP SNIP  SNIP } keep state label "anti-lockout rule"

User-defined rules follow

anchor "userrules/*"
match  quick  on {  em0  }  proto { tcp udp }  from any to  SNIP-SIP-RTP-GW  queue (qVoIP,qACK)  label "USER_RULE: SIP"
match  on {  em0  }  proto { tcp udp }  from any to any port 53  queue (qDNS,qACK)  label "USER_RULE: DNS"
match  quick  on {  em0  }  from any to  SNIP-CORP-VPN-NET/24  queue (qVPN,qACK)  label "USER_RULE: VPN"
pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto udp  from  SNIP-SIP-RTP-GW to SNIP-LAN-2-WAN-PAT keep state  label "USER_RULE: All SIP and RTP from Acme"
block  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto { tcp udp }  from  SNIP-EXTERNAL-NET/24 to  SNIP-EXTERNAL-NET-BCAST  label "USER_RULE: Don't log to broadcast address from own subnet"
block  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto { tcp udp }  from  SNIP-EXTERNAL-NET/24 to  255.255.255.255  label "USER_RULE: Don't log to broadcast address from own subnet"
block  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto udp  from any to  239.255.255.250 port 1900  label "USER_RULE: Don't log SSDP broadcasts"
pass  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to SNIP-LAN-2-WAN-PAT port SNIP  flags S/SA keep state  label "USER_RULE: ssh to firewall"
pass  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to  SNIP-INT-Personal-PC port 22  flags S/SA keep state  label "USER_RULE: ssh to PC"
pass  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to  SNIP-INT-SEC-ZABBIX-SVR port 22  flags S/SA keep state  label "USER_RULE: ssh to SEC"
pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto tcp  from any to  SNIP-INT-SEC-ZABBIX-SVR port 10049 >< 10052  flags S/SA keep state  label "USER_RULE: zabbix to SEC"
pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto udp  from any to SNIP-LAN-2-WAN-PAT port 1194  keep state  label "USER_RULE: OpenVPN CJ Work OpenVPN wizard"
pass  in  quick  on $WAN reply-to ( em0 SNIP-External-GW )  proto { tcp udp }  from any to SNIP-LAN-2-WAN-PAT port 500  keep state  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerAfrica to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerAsia to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerEurope to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerNorthAmerica to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerOceania to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerSouthAmerica to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerads to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerdshield to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerhijacked to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockermalc0de to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockeropenproxy to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerMaliciousciarmy to any  label "USER_RULE"
block  in log  quick  on $WAN reply-to ( em0 SNIP-External-GW )  from  $pfBlockerspyware to any  label "USER_RULE"
pass  in  quick  on $LAN  from  SNIP-Wireless-NET/24 to  SNIP-pfSense-INTERAL-IP keep state  label "USER_RULE: Wireless to Gateway OK"
block return  in log  quick  on $LAN  from  SNIP-Wireless-NET/24 to  SNIP-LAN-NET/24  label "USER_RULE: Wireless to Work LAN not OK"
pass  in  quick  on $LAN  proto tcp  from any to any port 43  flags S/SA keep state  label "USER_RULE: WHOIS Anywhere"
pass  in  quick  on $LAN  proto tcp  from any to any port 873  flags S/SA keep state  label "USER_RULE: rsync Anywhere"
pass  in  quick  on $LAN  proto { tcp udp }  from any to  91.198.117.0/24 keep state  label "USER_RULE: Secunia"
pass  in  quick  on $LAN  proto tcp  from any to  83.145.197.2 port 443  flags S/SA keep state  label "USER_RULE: myWOT"
pass  in  quick  on $LAN  proto { tcp udp }  from any to  91.190.218.0/24 keep state  label "USER_RULE: Skype"
pass  in  quick  on $LAN  from any to  80.237.253.182 keep state  label "USER_RULE: Cloudfogger"
block return  in log  quick  on $LAN  from any to  $pfBlockerAfrica  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerAsia  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerEurope  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerOceania  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerSouthAmerica  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerads  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerdshield  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerhijacked  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockermalc0de  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerspyware  label "USER_RULE"
block return  in log  quick  on $LAN  from any to  $pfBlockerMaliciousciarmy  label "USER_RULE"
pass  in  quick  on $LAN  proto tcp  from any to  SNIP-pfSense-INTERAL-IP port 8080  label "USER_RULE: NAT Dansguardian"
pass  in  quick  on $LAN  proto tcp  from any to  SNIP-pfSense-INTERAL-IP port 8080  label "USER_RULE: NAT Dansguardian HTTPS"
pass  in  quick  on $LAN  from SNIP-LAN-NET/24 to any keep state  queue (qDefault,qACK)  label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $LAN  from  SNIP-Wireless-NET/24 to any keep state  queue (qDefault,qACK)  label "USER_RULE: Default allow Wireless to any rule"
pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE"
pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN CJ Work OpenVPN wizard"

VPN Rules

pass out on $WAN  route-to ( em0 SNIP-External-GW )  proto udp from any to  any  port = 500 keep state label "IPsec: IPSECPHASE1 - outbound isakmp"
pass in on $WAN  reply-to ( em0 SNIP-External-GW )  proto udp from  any  to any port = 500 keep state label "IPsec: IPSECPHASE1 - inbound isakmp"
pass out on $WAN  route-to ( em0 SNIP-External-GW )  proto udp from any to  any  port = 4500 keep state label "IPsec: IPSECPHASE1 - outbound nat-t"
pass in on $WAN  reply-to ( em0 SNIP-External-GW )  proto udp from  any  to any port = 4500 keep state label "IPsec: IPSECPHASE1 - inbound nat-t"
pass out on $WAN  route-to ( em0 SNIP-External-GW )  proto esp from any to  any  keep state label "IPsec: IPSECPHASE1 - outbound esp proto"
pass in on $WAN  reply-to ( em0 SNIP-External-GW )  proto esp from  any  to any keep state label "IPsec: IPSECPHASE1 - inbound esp proto"
anchor "tftp-proxy/*"

havp proxy ifaces rules

allow SIP signaling and RTP traffic

pass in on em2 proto udp from any to any port = 5060
pass in on em2 proto udp from any to any port 10000:19999</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></snort_wan_whitelist></snort_wan_whitelist></pfblockermaliciousciarmy></pfblockermaliciousciarmy></pfblockeropenproxy></pfblockeropenproxy></pfblockermalc0de></pfblockermalc0de></pfblockermicrosoft></pfblockermicrosoft></pfblockerhijacked></pfblockerhijacked></pfblockerspyware></pfblockerspyware></pfblockerdshield></pfblockerdshield></pfblockerads></pfblockerads></pfblockersouthamerica></pfblockersouthamerica></pfblockeroceania></pfblockeroceania></pfblockernorthamerica></pfblockernorthamerica></pfblockereurope></pfblockereurope></pfblockerasia></pfblockerasia></pfblockerafrica></pfblockerafrica></virusprot></snort2c></webconfiguratorlockout></sshlockout>

jimp

Those firewall lines appear to be related to the captive portal, but I don't see in the source where it's set to log those lines on 2.1.

On 2.0.x it may have been tied to the default deny rule logging.

You can always edit /etc/inc/filter.inc, find those lines (search for sloppy, it's the 5-6 hit or so) and remove "{$log}" from the lines.

cejennings

That did it!  Thank you so much.