Firewall logs!

Nostradamus

Hello:

First of all, congratulations for pfSense developers!! It's a great firewall and i like it so fare  ;)

I was searching around the forum here for trying to find some info about the "Firewall logs" :)

• All the blocks IP are they still blocked when i'm restart the firewall? (i found and old topic, than other was asking about the same, and at that time the firewall logs not save the logs to HD. That was in May 2007)
• I was looking in the firewall log and found the log keep logging the same IP /w same port allmost all the time. So why are the log still displaying the same IP's w/ port if they are blocked earlier.
  It's that not possible to make it only show the IP and port at once in the block list. Not all the time.?

.
.
Aug 30 07:15:59 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP
Aug 30 07:15:28 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP
Aug 30 07:14:44 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP
Aug 30 07:12:17 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP 
Aug 30 07:12:08 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP 
Aug 30 07:04:07 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP 
Aug 30 07:03:41 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP 
.
.

Not sure if this is an log bug or maybe it's OK. But isn't this unnecessary to show the same block time to time.?

hehe, and another question too :)
I can see the firewall are blocking IGMP request from my ISP's DHCP server all the time, any way to allow my ISP's DHCP server to allow to ping me?
Do i need to add the DHCP server IP into the forwarding and make an rule for IGMP not sure what port nr that is. :/

Thanks again for an great firewall :)

Regards

GruensFroeschli

every log-entry is at another time. soooo i dont think you want it if the logger just stops logging stuff.

create a rule on your WAN interface that allows IGMP.

Nostradamus

@GruensFroeschli:

every log-entry is at another time. soooo i dont think you want it if the logger just stops logging stuff.

create a rule on your WAN interface that allows IGMP.

Hi.

Thanks :)

But isn't it better to block the IP by first HIT, than not show the same IP after few seconds again, when the IP was blocked first.
Let's take an example:

The first hit was:

Aug 30 07:03:41 WAN AAA.157.234.248:55555 BBB.BBB.BBB.BBB:55555 UDP

The firewall block that ip at that time. Why it shows again after 1 minute when I know the hole IP was blocked at this time  Aug 30 07:03:41?
It's no so importen for me, but i was thinking maybe it's some unnecessary and annoying to see the same IP all time in my firewall log, hehe.

Not sure what port IGMP are running at (TCP/UDP). Since pfSense are blocking multicast(IGMP), it's the anyway to disable the logging of it?

Regards

GruensFroeschli

Every new entry is another attempt to connect.
If you want to know how ofter someone tried to connect you want to see that in the log.
If someone does a portscan you will see that in the log.
If you just stop logging after the first blocked attempt….

I think you missunderstand "to block a connection-attempt" with "ban IP"

To allow IGMP you dont need to know the port. Just select it from the dropdown-box in the rule-setup.
In the dropdown-box of the protocolls IGMP is about in the lower middle.
All "allow" rules are not logged by default. But you can activate logging for it in the setup if you want.

dotdash

If you want to block any more connection attempts, take a look at the 'advanced options' button. Matching offenders will get silently dropped via an internal table (virusprot, I think) they remain blocked until the firewall is restarted. The logging is just telling you it did not allow the connection- it does not block future connection attempts from that IP.