Default Firewall Rules Log by Default?

Started by PhYrE, Today at 02:15:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 02:15:05 AM
The default firewall rules has a `let out anything from firewall host itself` and `let out anything from firewall host itself (force gw)`.  These have logging on by default (Firewall | Settings | Advanced | Logging -> Log packets matched from the default pass rules).

Is there any reason this is on by default?  Is there any reason this should stay on (or be on by default)?
Is the best choice to turn off this log once we know things are working?
Is the best choice just to add a manually-placed explicit rule that does the same thing but without logging?

If I understand correctly, this will effectively log every connection out from OPNsense, at a period where the docs say that there is limited log space available. 

If there any way to just make these still log but log to memory?  I'm fine with the logging, but don't want to wear out the SSD with writes.

Any guidance is appreciated.  Just surprised such a log heavy option was on by default.
Today at 02:47:00 AM #1
Logging is up to you. I prefer to log everything... almost. pf's in-and-out traversal logging is a bit odd, so I've tried limiting that a bit.

As to your SSD, here's mine after about 10 months of use:

=== START OF SMART DATA SECTION ===
[...]
Data Units Read:                    71,275 [36.4 GB]
Data Units Written:                1,866,966 [955 GB]
[...]

This is on a link with static IPs (and associated public servers), so it runs 200-5000 active sessions. Note that I do not run an IPS. Some folks have seen much higher write loads. I keep 200 log files, and they're practically unsearchable (very slow). I need to look at the ZFS compression settings, because the file system appears to be unbelievably well compressed.
Today at 09:09:30 AM #2
Quote from: pfry on Today at 02:47:00 AMLogging is up to you. I prefer to log everything

In my opinion, it doesn't make sense to log that my OPNsense connected to my DNS recursor on UDP port 53. That only clutters up things and makes the logs harder to filter.

That being said, it doesn't look like my OPNsense allows me to turn off the Log feature on the automatically created "let out anything from firewall host itself" rule (no hover text when I hover over the "i"), and since it's an automatically created rule that is early in my WAN rule set, I also cannot put in an earlier rule allowing outgoing DNS without logging.

How do I get rid of that log entry avalanche?

Greetings
Marc
Marc 'Zugschlus' Haber - St. Ilgen, Germany
Today at 09:16:59 AM #3
As @pfry said: "logging is up to you", yet the default is that everything is logged. While it is true that this eats through SSDs, it also assures that you can see what is going on. Often enough, newbies wonder why they do not see the results of their rules, either because they do not enable logging in their own rules or because the default block rule does not log it.

In order to track down the results of your rules, you must make sure that you can trace the packets involved. Once you have reached a stable state, YMMV.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 01:50:03 PM #4
Quote from: Zugschlus on Today at 09:09:30 AM[...]
How do I get rid of that log entry avalanche?

Heh. Re-read the initial post.
Print
Go Up Pages1
User actions