Messages

1

General Discussion / Re: Log traffic only without pass/block/reject

« on: February 28, 2023, 11:11:52 am »

Hi Dennis,

thx for your response and sorry for name mismatch

I've tried your suggestion but it does not work with action "pass" and "quick" disabled.

Here is my example rule:
- Floating Rule for logging but not blocking suspicious traffic only:

Code: [Select]

action: pass, src: any, dst: 8.8.8.8, log: yes, quick:no8.8.8.8 is just an example here but it's fine for testing if DNS to Google is not allowed per default on your clients.

The result now is that this rule allows everything to 8.8.8.8.
You can test with "telnet 8.8.8.8 53".
Unfortunately that is not the desired behaviour.

What I wanted to accomplish is that I want to log only that traffic but don't allow more than allowed for other external IPs on the firewall.

Thank you,
Christoph

2

General Discussion / Re: Log traffic only without pass/block/reject

« on: February 27, 2023, 11:21:09 am »

Hello Dennis,

thx, "deny" and "log" works as you menteiond but "pass" and "log" is not the same as "log only".
The "pass" action allows potentielly more than the total ruleset does.

Christoph

3

General Discussion / Re: Log traffic only without pass/block/reject

« on: February 27, 2023, 10:04:25 am »

sorry, I just tested it again and it does not work as desired with "pass" and "quick".

I've created a floating rule with
- action: pass
- quick: off
- source: any
- destination: specific suspicious ip

The problem is that this rule allows all traffic to "specific ip" wheres a "log only"/match rule would not allow anything additional on the firewall.

So, I don't have a solution for "log only" at the moment.
Anymore ideas?

Thank you,
Christoph

4

General Discussion / Re: Log traffic only without pass/block/reject

« on: February 27, 2023, 09:49:28 am »

ok, I think if I combine "pass" with "quick" disabled, I can accomplish what I want to do.

I was actually unsure if I could potentially allow too much with "pass" so I would have preferred a "log only" action.

My intention is to use a blocklist and only log suspicious activity.
I really wanted to avoid a pass for a blocklist.

Christoph

5

General Discussion / Re: Log traffic only without pass/block/reject

« on: February 27, 2023, 08:51:01 am »

Hi Dennis,

thx for your answer.

What I'm searching for is to log the traffic only without applying a "pass/block/recject" action.

I've found the following "match" action in the pfsense docs.
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#match-action

Thank you,
Christoph

6

General Discussion / Log traffic only without pass/block/reject

« on: February 23, 2023, 09:34:22 pm »

Hi,

Is there a way to accomplish the following iptables-Rule with OPNsense?

Code: [Select]

iptables -A FORWARD -d 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'
I'm unsure if "Set local tag"/"Match local tag" together with quick could help.
The "match" action as on pfsense does not seem to be available.

Thank you,
Christoph

7

21.1 Legacy Series / check_icmp with source address not working after Upgrade to 21.1

« on: April 09, 2021, 11:06:02 pm »

Hello,

today I tried to upgrade from 20.7 to 21.1.

I noticed a problem with the existing NRPE check "check_icmp" installed by os-nrpe.
With 21.1 setting a source address fails.

# /usr/local/libexec/nagios/check_icmp -H 10.10.10.1 -s 10.10.100.1
check_icmp: Cannot bind to IP address 10.10.100.1: Socket operation on non-socket
# /usr/local/libexec/nagios/check_icmp -H 10.10.10.1 -s em2
check_icmp: Cannot determine IP address of interface em2: Inappropriate ioctl for device

Any idea how that could be fixed?

Thank you,
Christoph