Packet Fence evaluations
-
Is it correct for packet fence to be increment the "Match" count when an inbound packet doesn't match the Firewall rule inbound port settings?
Do these rules need any further settings?
IE: There are five rules that have logging enabled:
Inbound - block 80 tcp, block 443 tcp, block 80 udp, block 80 tcp
Outbound - Block any anyHowever, packet fence is pre-maturely counting packets as a match. These packets are not logged to the Firewall logs. So I assume, that the "Match" count is being incremented with any Inbound packet regardless of the defined "Inbound Ports" in the rules.
pfctl -vv -sr | grep 'pfB_Asia'
@96(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto tcp from <pfb_asia_v4:4052> to any port = http label "USER_RULE: pfB_Asia_v4" @97(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto tcp from <pfb_asia_v4:4052> to any port = 443 label "USER_RULE: pfB_Asia_v4" @98(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto udp from <pfb_asia_v4:4052> to any port = http label "USER_RULE: pfB_Asia_v4" @99(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto udp from <pfb_asia_v4:4052> to any port = 443 label "USER_RULE: pfB_Asia_v4" @143(1770001893) block return in log quick on em1 inet from any to <pfb_asia_v4:4052> label "USER_RULE: pfB_Asia_v4"</pfb_asia_v4:4052></pfb_asia_v4:4052></pfb_asia_v4:4052></pfb_asia_v4:4052></pfb_asia_v4:4052>pfctl -vvsTables | grep -A10 'pfB_Asia'
-pa-r-- pfB_Asia_v4 Addresses: 4052 Cleared: Thu Sep 24 16:23:31 2015 References: [ Anchors: 0 Rules: 5 ] Evaluations: [ NoMatch: 1415 Match: 8 ] In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ]<rule><ipprotocol>inet</ipprotocol> <tracker>1770001893</tracker> <type>reject</type> <source> <any><destination><address>pfB_Asia_v4</address></destination> <log><created><time>1443126205</time> <username>Auto</username></created> <interface>lan</interface></log></any></rule> <rule><ipprotocol>inet</ipprotocol> <tracker>1770001764</tracker> <type>block</type> <source> <address>pfB_Asia_v4</address> <destination><any><port>pfBlockerNGports</port></any></destination> <protocol>tcp/udp</protocol> <log><created><time>1443126205</time> <username>Auto</username></created> <interface>wan</interface></log></rule>grep 'pfB_Asia' /tmp/rules.debug
table <pfb_asia_v4> persist file "/var/db/aliastables/pfB_Asia_v4.txt" pfB_Asia_v4 = "<pfb_asia_v4>" block in log quick on $WAN reply-to ( em0 x.x.x.x ) inet proto { tcp udp } from $pfB_Asia_v4 to any port $pfBlockerNGports tracker 1770001764 label "USER_RULE: pfB_Asia_v4" block return in log quick on $LAN inet from any to $pfB_Asia_v4 tracker 1770001893 label "USER_RULE: pfB_Asia_v4"</pfb_asia_v4></pfb_asia_v4> -
-pa-r-- pfB_Europe_v4 Addresses: 2139 Cleared: Thu Sep 24 15:24:27 2015 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 8220843 Match: 6069980 ] In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 120 Bytes: 21894 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 198 Bytes: 66038 ] Out/XPass: [ Packets: 0 Bytes: 0 ]The rule is allow inbound OpenVPN without logging, the VPN has pretty much no traffic… NFC what are these counters doing here.
-
Hoping for one of the Devs to chime in on this if possible? :)
Thanks!
-
Guess posting this in redmine would be the next step?
-
Apparently…
