OPNsense Forum

English Forums => General Discussion => Topic started by: jmc on September 20, 2017, 06:00:55 pm

Title: Firewall logs
Post by: jmc on September 20, 2017, 06:00:55 pm

Hi, I'm new to this forum and new to OPNsense.

I have a OPNsense firewall up and running with several subnets attached.  One one of the subnets OPT3 I opened up all outbound ports to get it up and running and I am now starting the process of locking down the firewall.  I started with the rules to allow the ports for my pool controller, but I wanted to see what the logs looked like before implementing the rule. 

I can control my pool from my phone and my browser on separate networks, so I know packets are getting in and out.  I can see the packets from the controller to the internet on wireshark.  But I can't see the packets in my firewall logs.  The only rule I have enabled atm is a OPT3net to any.

Under my firewall logs I see no entries with the pool controller as ip source or destination. 

I can see entries from the other devices attached to that subnet. 

Any help would be appreciated.  This is driving me crazy.

Thanks in advance.

Title: Re: Firewall logs
Post by: chemlud on September 20, 2017, 06:49:19 pm

By default rules don't log. But you can enable the log function on the config page of the respective rule. But you don't want to log each package allowed by your any-any rule. Fills up your HDD (SDcard?) with no benefit at all.

You can have specific allow rule to one port e.g. (disable allow any-any rule) and then logging makes sense....

PS: Opening ports from the outside to have access to IoT devices is never a clever solution. Establish a VPN tunnel to your network in question and you are much better off...

Title: Re: Firewall logs
Post by: fabian on September 20, 2017, 06:54:40 pm

in the logging settings you can set if the default block rules should log etc. You may have not configured or misconfigured it. The log looks like a lot of data joined by a comma (",").

to read it, you may use a library - for example, I wrote this one for logstash: https://rubygems.org/gems/logstash-filter-opnsensefilter (https://rubygems.org/gems/logstash-filter-opnsensefilter)
You can find the source code for this library here: https://github.com/fabianfrz/logstash-filter-opnsensefilter/blob/master/lib/logstash/filters/opnsensefilter.rb (https://github.com/fabianfrz/logstash-filter-opnsensefilter/blob/master/lib/logstash/filters/opnsensefilter.rb)

Here is the OPNsense internal function:
https://github.com/opnsense/core/blob/master/src/etc/inc/filter_log.inc#L148 (https://github.com/opnsense/core/blob/master/src/etc/inc/filter_log.inc#L148)

Title: Re: Firewall logs
Post by: jmc on September 20, 2017, 07:29:39 pm

@ Chemlud

Thanks Chemlud for your response.

I have the rules set to log. 

And I am only opening outbound ports not inbound.  Intention is to take out the any any after I get the rules needed to open up enough outbound to keep the devices working.  Is that a bad approach?

Don't have much on the network yet so just looking at any any to see what to expect.  Don't expect to leave it logging for long.

Title: Re: Firewall logs
Post by: jmc on September 20, 2017, 07:37:45 pm

Thanks fabian for the quick response.

I didn't turn default logging off so shouldn't be mis-configured, but they are not configured.

ATM I have been looking at the logs within the GUI.  I  will try the library. 

Still I would think that with any any set to log, they would show up in the GUI under firewall:log files: normal view and they aren't.