Have firewall log only what I want
-
Hi,
I'm using pfSense as a firewall for a network of about 1500 students. Recently an event happened where I have needed to rethink my logging strategy. I have recently set up the box to log to a syslog-ng server, and its working great. The problem I am having now is trying to get the syslog server to see the logs I want.
Specifically, I have a rule set up that will log all outgoing attempts to 6346-6348. This logs fine, and when I go to the logs interface within the system, I click on the arrow next to it and it tells me something like "Block action triggered by rule 424", which is good. The thing is, it's also logging a bunch of connections I don't want to log. They are all allowed connections. When I click on those log entries, a similar box comes up, but it doesn't tell me what rule triggered it. This leads me to believe that maybe the default rule could be logging these?
In syslog, it's telling me that the action was because of "rule 345.69835.30114.0/0(match): pass in on em0:"
How can I tell what this is?
-
Can you provide a full line of such a log item? You can clear parts of the ipadresses if you want. I guess it's one of the services that creates firewall pass rule behind the scenes when enabled. You should be able to tell this by the portnumber or the destination IP.
-
Hi Hoba,
The log items that are showing up that I want are like this:
Apr 30 17:34:15 10.xx.1.1 pf: 075202 rule 424/0(match): pass in on em0: (tos 0x0, ttl 124, id 20691, offset 0, flags [DF], proto: TCP (6), length: 48) 10.xx.100.227.1435 > 24.182.xx.xx.6346: S, cksum 0x1d05 (correct), 2349305009:2349305009(0) win 65535 <mss 1460,nop,nop,sackok="">The rule 424 is the only rule that I have the logging enabled.
There are also lines that look like this:
Apr 30 20:08:16 10.XX.1.1 pf: 561155 rule 345.69835.34544.0/0(match): pass in on em0: (tos 0x0, ttl 125, id 48066, offset 0, flags [DF], proto: TCP (6), length: 52) 10.XX.104.241.51943 > 64.86.XX.xX.63485: S 2044488398:2044488398(0) win 8192 <mss 1460,nop,wscale="" 2,[|tcp]="">I have no idea why they are being logged, and when I click on the "Act" next to it in the firewall log within the gui, it comes up with a blank box.
I assumed that unless I enabled verbose logging, that the firewall would only log denied attempts. In this case, it seems like it's showing a bunch of allows that I am not interested in.
Thanks for responding.</mss></mss>
-
Go to diagnostics>command and download /tmp/rules.debug or view the file at diagnostics>edit file. This is the ruleset that is loaded into the filter. Try to identify the rule that is causing this logging and let me know please.
-
Ok, I looked through the file, and even searched for the word "log". It came up in two places, one being the rule I created, and the other being:
block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"
My rules are as follows:
User-defined rules follow
pass in quick on $wan proto tcp from { 72.248.xx.xx } to 72.248.xx.xx port = 443 keep state queue (qwandef, qwanacks) label "USER_RULE: Allow Web Management"
pass in quick on $wan inet proto icmp from any to 72.248.xx.xx keep state queue (qwandef, qwanacks) label "USER_RULE: Allow Ping"
pass in quick on $lan proto tcp from <servers>to any keep state queue (qlandef, qlanacks) label "USER_RULE: Allow Servers Everywhere"
pass in quick on $lan proto tcp from { 10.xx.104.219 } to any keep state queue (qlandef, qlanacks) label "USER_RULE: Allow Ryan's XBOX Everywhere"
pass in quick on $lan proto tcp from { 10.xx.116.215 } to any keep state queue (qlandef, qlanacks) label "USER_RULE: Allow Mark's Playstation Everywhere"
block in quick on $lan proto tcp from any to any port = 80 queue (qlandef, qlanacks) label "USER_RULE: Block HTTP"
block in quick on $lan proto tcp from any to any port = 25 queue (qlandef, qlanacks) label "USER_RULE: Block SMTP"
pass in quick on $lan from 10.xx.0.0/16 to any keep state queue (qlandef, qlanacks) label "USER_RULE: Default LAN -> any"
pass in log quick on $lan proto tcp from any to any port 6345 >< 6348 keep state queue (qlandef, qlanacks) label "USER_RULE: Log Gnutella"
pass in quick on $lan from <adminnet>to any keep state queue (qlandef, qlanacks) label "USER_RULE: Allow Admin Net "
pass in quick on $lan from <studentnets>to any keep state queue (qlandef, qlanacks) label "USER_RULE: Allow Student Network"
block in quick on $lan proto { tcp udp } from any to any port = 62709 queue (qlandef, qlanacks) label "USER_RULE: Block 62709"
pass in quick on $enc0 from any to any keep state label "USER_RULE: Permit IPSEC traffic."I don't see where all these other logged "allow" rules are coming from. Where can I look in the system to find the rule "number" for each rule?</studentnets></adminnet></servers></sshlockout>
-
I see an xbox there. Are you using UPnP with the pfSense and the xbox? I bet those are logs from the dynamically generated rules the xbox requests.
-
There are XBox units on the network, but they are not using UPNP. I disabled UPnP because of the size of the network (~1800 hosts). The XBox rules are just there because we force the use of a proxy server and typically block port 80 for anything but the proxy. The XBox units need port 80 for Xbox Marketplace to work, so I enabled it as a "test" for a few users.