Firewall log: limits? delays? missing entries?

[fraenki]

Hi,

I've been debugging a rather simple application issue and was using the GUI Logs Status -> System logs -> Firewall. But there haven't been any blocked packets regarding our application. So I started digging deeper and used tcpdump on both ends...

Once I've started using the CLI on the firewall to debug it even further I've finally noticed some blocked packets:

Code Select Expand

# tcpdump -n -e -ttt -i pflog0
00:00:00.000000 rule 3..16777216/0(match): block in on enc0: XXX.46799 > YYY.58459: Flags [S], seq 2685257746, win 29200, options [mss 1460,sackOK,TS val 1598981567 ecr 0,nop,wscale 7], length 0

Note that this traffic is on enc0 and is routed through an IPsec tunnel.

And I've starting wondering... why didn't this show up on the GUI in the first place? Several questions/thoughts on this:

• Is there some sort of limit to how many log entries are processed from within the GUI?
• May any rule or configuration prevent those blocked packets from showing up in the (pf/GUI) logs at all?

I've wasted a lot of time on this and would like to understand how to prevent this in the future.  :D

- Frank

[franco]

I think it only filters in about 5000 entries which are generated by a custom utility called filterlog. Maybe it got lost or isn't seen by the utility. There could also be a bypass in the pf.conf template or it doesn't honour the block log flag. Can you sent me a /tmp/rules.debug via PM?

It may also be worth to checkout diag_logs_settings.php for details on what gets logged.