Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: Steve on October 18, 2024, 04:04:15 PM

Title: 24.7.6/24.10 BE duplicate filterlog entries
Post by: Steve on October 18, 2024, 04:04:15 PM
Just started upgrading our devices to 24.7.6/24.10 BE from 24.1.10/24.4.3 BE, and since the upgrade I've noticed I'm getting duplicate filterlog entries on the 2 devices I've upgraded so far:
Code Select
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
This is from the WebUI, also getting duplicate messages sent to syslog server where I initially noticed the log volume double.  So far it appears to only be duplicating log entries for blocked traffic.

Thanks.    -Steve
Title: Re: 24.7.6/24.10 BE duplicate filterlog entries
Post by: franco on October 18, 2024, 07:27:37 PM
This is an intentional change because the logging is not doing the right thing when states are dropped due to "max states" limit in the packet filter. The whole logging in pf needs a makeover in FreeBSD which is what we will probably work on in the near future.


Cheers,
Franco
Title: Re: 24.7.6/24.10 BE duplicate filterlog entries
Post by: Steve on October 18, 2024, 10:46:00 PM
Thanks for the confirmation.

If you're going to be in the guts of pf logging, any way we could get source/destination mac addresses added to the logs?

Thanks.     -Steve
Title: Re: 24.7.6/24.10 BE duplicate filterlog entries
Post by: franco on October 21, 2024, 09:21:03 AM
Someone started adding layer 2 support to pf as separate rules but it being a layer 3 design from the ground up I'm not sure that information is actually provided. Certainly not in the accompanying pflog struct :)


Cheers,
Franco
Text only | Text with Images