Firewall Logging more than it should
ptaylor last edited by
I have an unusual problem that deals with FTP. First, the user-land proxy is disabled on both WAN and LAN interfaces. My firewall is configured to bridge the WAN to the LAN. I have a number of rules on the WAN interface to allow certain traffic in, including a rule to let outside devices hit port 21 (FTP) of a server on the LAN segment. There is no logging on this FTP rule. The FTP server operates in active mode, so port 20 connects out to a high port on the remote devices. Since this isn't really related to the incoming traffic (as far as the firewall is concerned), the rule allowing this (I assume) is the one on the LAN interface. The LAN interface is configured with a simple Any To Any rule, no logging.
Here's my issue… I'm getting all the outbound port 20 traffic in my firewall log, like so:
Act Time If Source Destination Proto
May 7 11:13:22 BRIDGE0 FTP_SRV_IP:20 REMOTE_CLIENT#1:12764 TCP
May 7 11:13:22 LAN FTP_SRV_IP:20 REMOTE_CLIENT#1:12764 TCP
May 7 11:13:22 BRIDGE0 FTP_SRV_IP:20 REMOTE_CLIENT#2:12763 TCP
May 7 11:13:22 LAN FTP_SRV_IP:20 REMOTE_CLIENT#2:12763 TCP
May 7 11:12:19 BRIDGE0 FTP_SRV_IP:20 REMOTE_CLIENT#3:2595 TCP
May 7 11:12:19 LAN FTP_SRV_IP:20 REMOTE_CLIENT#3:2595 TCP
It appears that for each actual outgoing FTP connection, I am getting two log entries, one for the BRIDGE0 interface and one for the LAN interface.
Now, I'm not actually concerned about the double entries, but I am very interested to know how these are being logged in the first place. As I mentioned, the outgoing rule has no logging enabled. The Incoming FTP rule has no logging enabled.
If I click on the "Pass" icon on the log screen for one of these log entries, I get a pop-up stating "The rule that triggered this action is:" followed only by an OK button.
How do I stop these log entries from being added? (I have even tried adding a rule to the LAN interface specifically sourced from the FTP server with a source port of 20 destined anywhere with no logging, but that also results in these log entries)