Status>System logs>Firewall



  • Just a couple of ideas:

    • Could the source and destination ports could be broken out into separate columns without too much work?

    • Perhaps the Action column labels could be changed to past tense (e.g., "Blocked" vs "Block").



  • dot a) looks easy enough todo. adding 2 extra columns will change the spacing them … not sure if it'll help for readability.      <--- will give it a try and post some screenshots
    dot b) thanks



  • personally i don't like it very much. what do you & others think?


  • Banned

    Shrug.

    • The ports stuff needs to drop the :s
    • Source-port -> Src. Port; Destination-port -> Dst. Port (just wasting space with the column width)
    • The filter should be shrinked back to two rows as it was and grow itself a "hide" feature… Waste of screen estate.
    • Needs some colors for Blocked/Rejected vs. Pass at least. (Is the text really even needed there?)


  • @doktornotor:

    Shrug.

    • The ports stuff needs to drop the :s
    • Source-port -> Src. Port; Destination-port -> Dst. Port (just wasting space with the column width)
    • The filter should be shrinked back to two rows as it was and grow itself a "hide" feature… Waste of screen estate.
    • Needs some colors for Blocked/Rejected vs. Pass at least. (Is the text really even needed there?)

    -i know about the ":" issue. the get_port_with_service() returns with ":" … didn't bother to go look for that function at this stage

    • gotcha
    • perhaps, not my call
    • one could implement the same icons as shown in firewall_rules.php (they still don't have colors)


  • i've stepped away from splitting the ports from the ip's.
    ==> there is a  inside the that is used to for reverse-dns-lookup. its called by ajax stuff i don't understand  ;  anyway, it makes it impossible to get the src/dst-port columns anywhere near to source/destination columns.

    so i only fixed the "blocked" thing. it orginally also showed 'blocked' on a PASS log ;)
    if anyone has some good idea's to further improve/adjust, let me know.



  • @heper:

    i've stepped away from splitting the ports from the ip's.
    ==> there is a  inside the that is used to for reverse-dns-lookup. its called by ajax stuff i don't understand  ;  anyway, it makes it impossible to get the src/dst-port columns anywhere near to source/destination columns.

    so i only fixed the "blocked" thing. it orginally also showed 'blocked' on a PASS log ;)
    if anyone has some good idea's to further improve/adjust, let me know.

    Look better now but my suggest is the action should be change to icon (if it possible if not it is ok) and Source-port and  Destination-port should put its back
    then the "Source-port change to Src. Port" and "Destination-port  change to Dest. Port" It is look more attractive and clearly. see my picture

    Donny

    ![Something to Change.png_thumb](/public/imported_attachments/1/Something to Change.png_thumb)
    ![Something to Change.png](/public/imported_attachments/1/Something to Change.png)



  • what do you mean by this? they are icons already? icons can be changed ofcourse, but i prefer them to be the same as the ones used in firewall_rules.php

    but my suggest is the action should be change to icon

    about the dest.port/src.port:

    i've stepped away from splitting the ports from the ip's.
    ==> there is a  inside the that is used to for reverse-dns-lookup. its called by ajax stuff i don't understand  ;  anyway, it makes it impossible to get the src/dst-port columns anywhere near to source/destination columns.

    if you have a way to get them close together, then i can try again



  • @heper:

    what do you mean by this? they are icons already? icons can be changed ofcourse, but i prefer them to be the same as the ones used in firewall_rules.php

    but my suggest is the action should be change to icon

    about the dest.port/src.port:

    i've stepped away from splitting the ports from the ip's.
    ==> there is a  inside the that is used to for reverse-dns-lookup. its called by ajax stuff i don't understand  ;  anyway, it makes it impossible to get the src/dst-port columns anywhere near to source/destination columns.

    if you have a way to get them close together, then i can try again

    at Act : "block" and "pass" should be change to icon that it used with Firewall. You can also use only word "Block" and "Pass"
    and change them to the color "Green for pass" and Red for Block" without to use the button or icon.



  • Thanks for trying, heper.

    I'd still prefer to see the port numbers in a separate column but only if it's not going to cause a lot of work.

    Icon or text work for me.

    Only as a matter of interest, is there a way to distinguish between between drop and reject?



  • Only as a matter of interest, is there a way to distinguish between between drop and reject?

    Yes, there is. While looking at this stuff on 2.3-ALPHA I noticed that the Firewall Log Display is currently hard-coded to always put "Block" as the text in the button.
    Step 1: That should be fixed so it says "Pass" or "Block" as appropriate.
    Step 2: Make it use icons instead of words. Use the same icons for "pass", "block", "reject" as are used on the firewall rules display.

    Then I went to a 2.2.4 and 2.2.5 system to see how it behaved. It always showed the "blocked" icon. The "reject" icon was never displayed - not in 2.2.* and not in 2.3.

    So I fixed all that in RELENG_2_2 - https://github.com/pfsense/pfsense/pull/2012 - hopefully that can make it into 2.2.5

    For 2.3 then,

    Step 3: Make the corresponding fixes from https://github.com/pfsense/pfsense/pull/2012 RELENG_2_2 in master for 2.3



  • @phil.davis step1 & 2 are done,
    do you want to handle handle step 3 ?

    https://github.com/pfsense/pfsense/pull/2013



  • @heper:

    @phil.davis step1 & 2 are done,
    do you want to handle handle step 3 ?

    https://github.com/pfsense/pfsense/pull/2013

    Yep, I will wait until PR 2012 and 2013 have been reviewed and the final changes committed to the respective branches. Then I will sort out what from PR 2012 in RELENG_2_2 needs to be also done in master.

    Note: This is all "bug" stuff that needs to be sorted out regardless. After that there is then the suggestions about the UI layout that are the original topic of this thread.


  • Developer Netgate

    Replacing those glyphicons which fount-awesome icons ( https://fortawesome.github.io/Font-Awesome/icons/ ) do you think make sense for:

    • Click to resolve

    • Easyrule: add to block list

    • Easyrule: pass this traffic

    ?

    fa-info
    fa-minus-square-o
    fa-plus-square-o

    perhaps?

    So many choices  :)

    I have pushed a change that incorporates these choices as a reference.



  • @Steve_B:

    • Easyrule: add to block list

    • Easyrule: pass this traffic

    fa-minus-square-o
    fa-plus-square-o

    perhaps?

    personally  "-" & "+"  reminds me of, adding & removing. while in this case, both add a rule (one to block, the other to pass).
    so maybe we can make both of them a "+", but use the css  color scheme?  (green=pass , red=block)

    or

    use different icons altogether perhaps: fa-lock / fa-unlock ?



  • Given that icon set, might I suggest using the "hand" series such as:

    block:    hand-paper-o or hand-rock-o
    reject:  thumbs-o-down
    pass:    thumbs-o-up

    The addition of colour (red for block and reject, green for pass) would go a long way to adding clarity IMO.

    That might give us a consistent and hopefully intuitive way of representing the dual -ve conditions for processing packets.


  • Developer Netgate

    We need to accommodate those who do not see colors clearly. Lock/unlock might work.



  • Hello, I like firewall log entries layout from the picture here under more than now. For the firewall log layout now at the "Act" column should be on the left side and not right side,  It is look conflicting.
    Icons X in the Act column look not attractive. My suggestion is: It is possible to use another icon or icon like firewall. When I point to an icon information and icon + the arrow pointer is disappear.

    Donny




  • We need to accommodate those who do not see colors clearly.

    How about simply use Black on White for +ve and White on Black for -ve (or vice versa as consensus desires)?
    I'm suggesting color or contrast (in this case) clues to be used in addition to icon clues.


  • Moderator

    Instead of defining 'icon-danger' and 'icon-success', why not just 'green' and 'red' so those css settings can be used in other places.



  • OOPS - a can of worms :)

    @Steve_B:

    Replacing those glyphicons which fount-awesome icons . . .

    How about:

    Reject          - arrow-left (orange)
    Block/Drop  - arrow-down (red)
    Pass            - arrow-right (green)



  • @BBcan177:

    Instead of defining 'icon-danger' and 'icon-success', why not just 'green' and 'red' so those css settings can be used in other places.

    the bootstrap css already contains  btn-success / btn-success /btn-warning  by default. both of those are used throughout the webgui.
    i thought it would be better to keep follow that naming-scheme ? what do you folks think?


  • Developer Netgate

    As well as alert-success, alert-danger etc. We also now have an optional style argument to print_info_box() that I use quite a lot:

    print_info_box(gettext("Changes saved."), success);

    So keeping with the Bootstrap style names is a good thing IMHO.



  • Bravo.

    @Steve_B:

    We need to accommodate those who do not see colors clearly.



  • PLEASE go back to the colored "BLOCKED" and "PASS". Those are so much more ergonomic than a check or an "x". From an aesthetic standpoint they look a lot better too!



  • @doktornotor:

    • The filter should be shrinked back to two rows as it was and grow itself a "hide" feature… Waste of screen estate.

    Just for you (for 2.2.5)

    Filter Form Hide Feature
    Form hidden by default, shown when filtering/selected.
    https://github.com/pfsense/pfsense/pull/2037


  • Developer Netgate

    Thanks. I'll be adding similar functionality to 2.3 in the next few days.


  • Banned

    @NOYB:

    Just for you (for 2.2.5)

    Filter Form Hide Feature
    Form hidden by default, shown when filtering/selected.
    https://github.com/pfsense/pfsense/pull/2037



  • @Steve_B:

    Thanks. I'll be adding similar functionality to 2.3 in the next few days.

    Since you are in there working on that.  If you're interested in consolidating some of that redundant code and adding filter form to the other system logs, feel free to grab anything from System Logs Consolidate Code and Add Advanced Filtering #1973  The most significant issue I know of is the regex pattern in /etc/inc/filter_log.inc needs a tweak for single digit day of month.

    I'm currently running that on 2.2.5 with the following regex changes.

    In function conv_log_filter($logfile, $nentries, $tail = 50, $filtertext = "", $fil…

    
    	elseif ($logfile_type == 'system')		{ 
    		$month_pattern = "[a-zA-Z]{3}";
    		$day_pattern = "[0-9]{1,2}";
    		$time_pattern = "[0-9]{2}:[0-9]{2}:[0-9]{2}";
    
    		$date_pattern = "\(" . $month_pattern . "\ +" . $day_pattern . "\ +" . $time_pattern . "\)";
    
    		$process_pattern = "\(.*?\)";
    #		$pid_pattern = "\(.*?\)\(?::\ +\)?\(?:[\([0-9:]*\)]\)?:";
    		$pid_pattern = "\(.*?\)\(?::\ +\)?\(?:\[[0-9:]*]\)?:";
    		$log_message_pattern = "\(.*\)";
    
    		$pattern = "^" . $date_pattern . "\ +" . $process_pattern . "\ +" . $pid_pattern . "\ +" . $log_message_pattern . "$";
    	}
    
    

    In function parse_system_log_line($line)

    
    	$month_pattern = "[a-zA-Z]{3}";
    	$day_pattern = "[0-9]{1,2}";
    	$time_pattern = "[0-9]{2}:[0-9]{2}:[0-9]{2}";
    
    	$date_pattern = "(" . $month_pattern . "\ +" . $day_pattern . "\ +" . $time_pattern . ")";
    
    	$process_pattern = "(.*?)";
    	$pid_pattern = "(.*?)(?::\ +)?(?:[([0-9:]*)])?:";
    	$log_message_pattern = "(.*)";
    
    	$pattern = "/^" . $date_pattern . "\ +" . $process_pattern . "\ +" . $pid_pattern . "\ +" . $log_message_pattern . "$/";
    
    	if (!preg_match($pattern, $line, $log_split))
    		return "";
    
    

  • Developer Netgate

    Thanks.

    I consolidated all of the many logs pages into a single page + GET argument some months ago. I'll certainly check-out you regex suggestion.



  • Unless adding the filter form to the system logs the regex that was there was fine as it only had to handle the firewall log.

    I think it would be nice to have the filter form for the system logs too though.


Log in to reply