I don't understand Firewall's Live Log

Started by c-mu, February 18, 2022, 01:11:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2022, 01:11:56 PM Last Edit: February 18, 2022, 01:15:04 PM by c-mu
Hello,
I do not understand the live log. I see all sorts of information there, but when I specifically want to investigate a case for which there is a firewall rule, I don't see it.

Inside the rule there is a check mark "Log packets that are handled by this rule". For example, if I ping this server that is noted in the rule, it doesn't show up in the livelog. Why not?

I can put in a simple rule "icmp allow to server IP 1.2.3.4", I set the checkbox and look in the live log if it is being tracked. I start my ping (works) and watch the log but no entry to be found.

I keep running into this problem so the live log has never given me any benefit to date. I have then always used tcpdump on the console.

Am I missing something fundamental? It also doesn't matter which filter I use, i.e. whether I search for source , destination or "address", I don't see what I need.

Thank you for your time :)

Edit: is there an option to log every thing? I mean my log destination is a RAM disk with 30Gigs free space. Time Range? usually never needed the last past hours, only the time "now"
February 18, 2022, 01:19:09 PM #1 Last Edit: February 18, 2022, 01:21:19 PM by tiermutter
I never had such issues. Are you sure the rule is hit? You can inspect this with the "inspect" button (FW rules).
i am not an expert... just trying to help...
February 18, 2022, 01:24:33 PM #2
i am absolutely sure. For testing purposes I have installed an icmp rule at the top and armed it only for my client ip. If I forbid icmp, no ping comes through, if I allow it, it works again.
February 18, 2022, 01:31:26 PM #3
I can confirm this for IPv6, tested with 22.1.1_3.
ICMPv6 is not shown in livelog, ICMPv4 is shown in livelog as expected.
i am not an expert... just trying to help...
February 18, 2022, 01:33:28 PM #4
Sorry, too fast.... ICMPv6 is also shown in livelog.
   
WG0   2022-02-18T13:32:11   fd00:13:18::3   2a00:xxxx:xxxx:xx::xxx     ipv6-icmp
i am not an expert... just trying to help...
February 18, 2022, 01:54:36 PM #5
I just noticed something : I can't find any livelog entries that run over openvpn. I also can't select an interface in the livelog filter that has to do with openvpn. VLANs yes, IPSec yes, but no openvpn.
February 18, 2022, 02:06:33 PM #6
Same here, no possibility to select interface=ovpn, as I donĀ“t have a OVPN interface added.
But every OVPN pass rule is logged, including ICMP.
i am not an expert... just trying to help...
February 28, 2022, 12:03:32 AM #7
It helped me quite a lot to add tags to rules, so that I could filter on them.

It also happens that a previous (not logged) rule captures the occurrence.

Turning the filter around might help as well: define all kinds of things you do not want to see, and turn of the auto refresh; then show a couple of hundred records.

I do agree, without being involved in the log daily, it is not quite straight forward what to look for. I have no suggestions for improvement though!
Print
Go Up Pages1
User actions