Firewall Log Monitoring



  • Hello Community,

    I don't understand why some rules work and some others don't even though apart from a few minor changes.

    If you take a look at the image, the top two rules don't work, whereas the remaining three rules do work - particular the rule with description Windows73. This rule is identical to rule Windows72 apart from the port 3390. I really don't understand

    Therefore, is there a way at looking at logs to see why?

    Cheers






  • Select the 'Status/System Logs' menu, then click on the 'Firewall' tab. You can filter the logs using the 'filter' field at the bottom right of this page. This will show you whether the traffic is reaching your internal servers or not.



  • Billy
    Thanks for responding.

    Looking at my logs can you see any reason why I'm not getting through the firewall?




  • You need to try hitting your NAT'ed address from outside the firewall first. Then filter your log by entering a target or source address - at the moment your logs are just showing a lot of UDP noise, so this won't tell you much.

    PS: An afterthought: Have you checked that the routing on the systems which are responding correctly is the same as the ones which aren't? All of your outward facing servers should be set to use the pfSense as the default gateway, otherwise you're traffic won't route back out to the originating source. This might explain why some, but not all, of your forwarding rules appear to be failing.



  • Billy

    Thanks again for responding.

    You need to try hitting your NAT'ed address from outside the firewall first

    I am trying to hit the NAT'ed addresses from outside the firewall.

    All of your outward facing servers should be set to use the pfSense as the default gateway

    I did get caught out on this in the past, but yes the default gateway is set to pfsense.

    Any other suggestions?

    It just doesn't make any sense.

    Regards



  • Community,

    See image of the my firewall logs. Virtually, all connections are UDP.

    The strangest thing is I don't see the connection that actually works - if you remember I said the RDP connection with description Windows72 actually works. I connected but I don't see that connection in the logs.

    Can someone please help….




  • pfSense Community,

    You're help will be greatly appreciated….

    Please help. Its driving me crazy



  • Again, it doesn't look like you're filtering your logs to show just the servers which are having problems receiving the packets you're trying to port forward. What your log does show is that your firewall is blocking your internal servers from making DNS queries to the outside. As you've only shown us the rules applying to your inbound (WAN) traffic, it's difficult to know whether this is something you have meant to happen or not. You should be able to filter the logs according to protocol, source ip and destination ip as well as port number. When you run a test, for instance, from the outside to port 3390/3389, you should then filter your logs to show just this traffic. Then you'll be able to see past all the UDP scatter you're getting.

    Another test you could run is to try doing an nmap port scan from the outside to your WAN address. This should show what ports are open and which are closed.

    For that matter, have you checked to see whether any of your servers are running personal firewalls which might be rejecting connections that make it past the perimeter?



  • The strangest thing is I don't see the connection that actually works

    Typically, only blocked traffic is logged, and only then if the block rule has logging enabled.


Log in to reply