Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP Flags and logging with quick

    Scheduled Pinned Locked Moved
    2.3-RC Snapshot Feedback and Issues - ARCHIVED
    2
    2
    815
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iamzam
      last edited by

      I am playing with logging packets that have flags set and I am trying to setup rules on the floating tab and then adjust for what I see in the log.

      I start with a catch-all rule that just quick matches any TCP packet with any flag set (with the "Any flag" checkbox) and log it.

      I now see a ton of TCP log entries with just a SYN set so I add another rule above the first to quick match but not log all TCP packets with SYN set (out of SYN).

      I still see all of the same SYN packets being logged by the all flags rule.

      Does quick not allow for TCP flags?
      Does quick not exclude processing by a subsequent rule?

      I can't figure out if this is a bug or if I have my firewall concepts wrong.

      Here are the relevant rules in the relevant order:

      
match quick inet proto tcp all flags S/S label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any S flags"
match quick inet6 proto tcp all flags S/S label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any S flags"
match log quick on em1 inet proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on em0 inet proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on ue0 inet proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on openvpn inet proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on em1 inet6 proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on em0 inet6 proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on ue0 inet6 proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"
match log quick on openvpn inet6 proto tcp all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any any flags"

      Actually now I see that it seems like checking the "All Flags" button doesn't put any flags in the rules…
      Also, I tried to create another rule with just FIN (out of FIN) flags but left the protocol as "Any" and it allowed the rule to be created but no flags were specified:

      
match log quick on em1 inet all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on em0 inet all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on ue0 inet all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on openvpn inet all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on em1 inet6 all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on em0 inet6 all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on ue0 inet6 all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on openvpn inet6 all label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"

      When I went back in and specified "TCP" protocol it then inserted the F/F flags:

      
match log quick on em1 inet proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on em0 inet proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on ue0 inet proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on openvpn inet proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on em1 inet6 proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on em0 inet6 proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on ue0 inet6 proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"
match log quick on openvpn inet6 proto tcp all flags F/F label "USER_RULE: LOG Flags match WAN/LAN/WL1/OVPN any any F flags"

      So there is something definitely wrong with the creation of rules with the "all flags" checkbox, and there is something buggy related to the creation of "any" protocol rules with flags specified as it allows the rules but creates the rules without flags.

      Can anyone tell me how the quick option should work where flags are involved?  Is it possible to exclude processing of subsequent identical rules with other flags?

      I hope this makes sense.

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        did send a fix for loading the all-flags back in the webgui when editing a rule: https://github.com/pfsense/pfsense/pull/2488

        As for flags on non tcp traffic, and quick on a 'match' rule im not sure if those should be allowed… Pass and Block can be final actions on the traffic, but match i dont think is useful as a last rule.. Might be wrong there.. Also keep in mind that rules are only used if no state exists that is already handling the connection..

        1 Reply Last reply Reply Quote 0
        • First post
          Last post