What log can be enable for passed traffic?



  • Basically I'm trying to find out if there is a log I can turn on so that I can see all traffic that is passed by the firewall.  I have no trouble seeing what is blocked by the firewall rules in the standard firewall system logs.  I'm mainly interested in see what LAN addresses are going where or what ssh traffic from the outside is doing, such as using the proxy I have set up, etc.

    edit:  I do have logging turned on for the default LAN -> any rule that is set when pfsense is first loaded, but so far nothing is showing up in the firewall logs.



  • What version are you using?
    Did you press apply after changing the rule to log everthing?
    Depending on your hardware it can take a few seconds until entries on the firewall log page start appearing.



  • -Using 1.2RC2
    -Yes, I did press apply and confirmed that the setting was still there

    I have noticed that it is logging passed traffic, but it isn't quite what I'm expecting.  Let me explain how mine is setup.

    My gateway serves as the interface to the incoming internet, we'll call this device 10.1.1.254 (the LAN port on the gateway itself)
    The firewall's wan interface is connected to the gateway LAN port; 10.1.1.253
    The firewall's lan interface connects into my switch; 10.1.1.252

    The passed traffic I'm seeing is indicated the LAN -> any rule is what is prompting it to log, which is good.  But I'm guessing maybe I just have the firewall set up slightly off.  It continues to log the source traffic as being BRIDGE0, the gateway as the source with destination 239.255.255.250, UDP traffic.  Same ports both ways, 1900.

    I'm specifically interested in logging traffic from the lan to determine what domain or ip address each workstation is trying to go to, if it is capable of doing this.



  • Yeah if you have a bridged setup, the logged interface will be the bridge, bridge0 in this case. You're getting what you're after.

    Netflow (pfflowd in packages) may be a better solution. You'll have to setup a collector on another machine for that, but it'll give you more complete traffic stats.
    http://en.wikipedia.org/wiki/Netflow



  • Many thanks.  I've taken a look at the transparent bridge setup and briefly messed around with the configuration while I had the "filtered bridge" option enabled.  I'm sure I'll some follow-up questions later about what rules to apply for inbound traffic, but I appreciate the help.


Log in to reply