24.7.6/24.10 BE duplicate filterlog entries

Started by Steve, October 18, 2024, 04:04:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 18, 2024, 04:04:15 PM
Just started upgrading our devices to 24.7.6/24.10 BE from 24.1.10/24.4.3 BE, and since the upgrade I've noticed I'm getting duplicate filterlog entries on the 2 devices I've upgraded so far:
Code Select
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
This is from the WebUI, also getting duplicate messages sent to syslog server where I initially noticed the log volume double.  So far it appears to only be duplicating log entries for blocked traffic.

Thanks.    -Steve
October 18, 2024, 07:27:37 PM #1
This is an intentional change because the logging is not doing the right thing when states are dropped due to "max states" limit in the packet filter. The whole logging in pf needs a makeover in FreeBSD which is what we will probably work on in the near future.


Cheers,
Franco
October 18, 2024, 10:46:00 PM #2
Thanks for the confirmation.

If you're going to be in the guts of pf logging, any way we could get source/destination mac addresses added to the logs?

Thanks.     -Steve
October 21, 2024, 09:21:03 AM #3
Someone started adding layer 2 support to pf as separate rules but it being a layer 3 design from the ground up I'm not sure that information is actually provided. Certainly not in the accompanying pflog struct :)


Cheers,
Franco
Print
Go Up Pages1
User actions