OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: fraenki on October 27, 2015, 11:43:41 am

Title: Firewall log: limits? delays? missing entries?
Post by: fraenki on October 27, 2015, 11:43:41 am
Hi,

I've been debugging a rather simple application issue and was using the GUI Logs Status -> System logs -> Firewall. But there haven't been any blocked packets regarding our application. So I started digging deeper and used tcpdump on both ends...

Once I've started using the CLI on the firewall to debug it even further I've finally noticed some blocked packets:

Code: [Select]
# tcpdump -n -e -ttt -i pflog0
00:00:00.000000 rule 3..16777216/0(match): block in on enc0: XXX.46799 > YYY.58459: Flags [S], seq 2685257746, win 29200, options [mss 1460,sackOK,TS val 1598981567 ecr 0,nop,wscale 7], length 0

Note that this traffic is on enc0 and is routed through an IPsec tunnel.

And I've starting wondering... why didn't this show up on the GUI in the first place? Several questions/thoughts on this:


I've wasted a lot of time on this and would like to understand how to prevent this in the future.  :D

- Frank
Title: Re: Firewall log: limits? delays? missing entries?
Post by: franco on October 31, 2015, 01:21:06 pm
I think it only filters in about 5000 entries which are generated by a custom utility called filterlog. Maybe it got lost or isn't seen by the utility. There could also be a bypass in the pf.conf template or it doesn't honour the block log flag. Can you sent me a /tmp/rules.debug via PM?

It may also be worth to checkout diag_logs_settings.php for details on what gets logged.