OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: datenimperator on February 14, 2017, 11:15:58 am
-
Hi,
I've started to use Graylog to analyze opnsense logs and others, and it occurred to me that lots of blocked traffic originates from our local lan. This puzzles me since our LAN has exactly those 3 rules:
- Anti-Lockout Rule
- Default allow LAN to any rule (IPv4)
- Default allow LAN to any rule (IPv6)
Why is traffic from LAN blocked on our firewall? Regards
Christian
ps: Where do I find documentation on the log format opnsense uses? Read: It logs a number of values separated with comma. Where can I find the attribute names?
-
Can you correlate the blocked traffic with any internal sources? Perhaps it is spoofed traffic from the WAN interface?
Bart...
-
According to the IP it's from my main workstation. I've seen blocks related to our internal servers, too. Services seem to be functional, though.
opnsense firewall summary view lists 5 internal IPv4/IPv6 hosts as most blocked sources, with more than 75% of all incidents. I see lots of blocked attempts for destination port 443/tcp, eg the Dropbox client on my local machine. Firewall logs read the TCP proto as TCP:FA for those. What does that mean?
Edit: Regarding the log entries, I found that this is because of the setting "Log packets matched from the default block rules put in the ruleset". Still I do not understand why those are blocked at all. Or, are they?
-
Can you correlate the blocks with any activity (possibly connecting to dropbox)? Worth running a wireshark to see what (if anything) is getting rejected.
Bart...
-
I would guess that these are "invalid" packets being dropped. For example, Fin/ACK packets being sent for connections that are not established / not in the firewall state table.