Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: seelk on January 02, 2024, 03:57:29 AM

Title: [SOLVED] OPNsense is logging many deny entries internally
Post by: seelk on January 02, 2024, 03:57:29 AM
I'm noticing many log entries denying traffic between my Home Assistant VM (192.168.86.26) and Google Home Mini devices (192.168.84.110 and 192.168.84.100):

Code Select
<134>1 2024-01-01T21:34:46-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283486"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4470,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:46-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283487"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4471,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:47-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283488"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4472,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:47-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283490"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4473,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:48-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283491"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4474,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:50-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283494"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4475,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:53-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283506"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4476,0,DF,6,tcp,180,192.168.86.26,192.168.84.110,38328,8009,128,PA,2383448238:2383448366,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:56-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283512"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4477,0,DF,6,tcp,307,192.168.86.26,192.168.84.110,38328,8009,255,FPA,2383448366:2383448621,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:34:59-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283529"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4478,0,DF,6,tcp,435,192.168.86.26,192.168.84.110,38328,8009,383,FPA,2383448238:2383448621,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:35:12-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283612"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4479,0,DF,6,tcp,435,192.168.86.26,192.168.84.110,38328,8009,383,FPA,2383448238:2383448621,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:35:21-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283643"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4480,0,DF,6,tcp,52,192.168.86.26,192.168.84.110,38328,8009,0,A,,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:35:39-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283674"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4481,0,DF,6,tcp,435,192.168.86.26,192.168.84.110,38328,8009,383,FPA,2383448238:2383448621,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:36:07-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283725"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,4482,0,DF,6,tcp,52,192.168.86.26,192.168.84.110,38328,8009,0,A,,1396268932,501,,nop;nop;TS
<134>1 2024-01-01T21:36:11-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283732"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.100,42176,8009,0,R,1183885780,,0,,
<134>1 2024-01-01T21:36:51-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283859"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.110,38328,8009,0,R,2383448238,,0,,
<134>1 2024-01-01T21:37:36-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="283965"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.110,38328,8009,0,R,2383448238,,0,,
<134>1 2024-01-01T21:38:13-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="284062"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.100,42176,8009,0,R,1183885780,,0,,
<134>1 2024-01-01T21:38:22-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="284095"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.110,38328,8009,0,R,2383448238,,0,,
<134>1 2024-01-01T21:39:06-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="284217"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.110,38328,8009,0,R,2383448238,,0,,
<134>1 2024-01-01T21:39:52-05:00 OPNsense.lan filterlog 69404 - [meta sequenceId="284308"] 7,,,02f4bab031b57d1e30553ce08e0ec131,igc0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,192.168.86.26,192.168.84.110,38328,8009,0,R,2383448238,,0,,

The amount of log entries related are in the thousands in just the last couple of days.  I am not sure what's causing this, moreover it's making it a bit difficult to analyze the logs for blocked traffic.

Do you know what's causing this traffic to be blocked?  If this is something that can be ignored, is it possible to prevent the rule from triggering and/or logging?
Title: Re: OPNsense is logging many deny entries internally
Post by: doktornotor on January 02, 2024, 01:07:14 PM
Out or state traffic. (See the TCP flags). You can disable the logging for the default rules.
Title: Re: OPNsense is logging many deny entries internally
Post by: seelk on January 02, 2024, 08:59:50 PM
Is this an automatically generated rule?  If so, it does not appear I can edit it.

https://imgur.com/a/2hudnTu
Title: Re: OPNsense is logging many deny entries internally
Post by: seelk on January 02, 2024, 09:12:36 PM
I believe I found the setting (see link below) related to this rule.  I wonder if disabling this option will have an adverse effect, preventing useful blocked entries from being recorded?

https://imgur.com/a/1cl64HG
Title: Re: OPNsense is logging many deny entries internally
Post by: doktornotor on January 02, 2024, 11:13:22 PM
Yes, that it the GUI to disable the default deny logging. As for side effects, depends on what you consider to be useful.  ;D
Title: Re: OPNsense is logging many deny entries internally
Post by: seelk on January 02, 2024, 11:37:24 PM
It would be good for me to know what's getting blocked where the source and destination are not internal.  For example, LAN to WAN and WAN to LAN blocked packets would be good to log. Is this possible?
Title: Re: OPNsense is logging many deny entries internally
Post by: doktornotor on January 02, 2024, 11:59:02 PM
Not in a way that would not produce the exact same log noise, just from different block rule.
Title: Re: OPNsense is logging many deny entries internally
Post by: seelk on January 06, 2024, 09:40:35 PM
Is the logging for every automatically generated rule (a count of 18+ rules) controlled by those two settings?

Log packets matched from the default block rules put in the ruleset
Log packets matched from the default pass rules put in the ruleset
Title: Re: OPNsense is logging many deny entries internally
Post by: cookiemonster on January 06, 2024, 11:06:53 PM
yes. The idea is to only enable it for diagnostics. Otherwise if too noisy.
Title: Re: OPNsense is logging many deny entries internally
Post by: seelk on January 06, 2024, 11:20:19 PM
Sounds good.  I'll disable them.  Thank you doktornotor and cookiemonster for your help.
Text only | Text with Images