NAT Rules logging not working

[matzej]

Hi,

i have a problem with NAT rules and logging.
That does not work as expected. I have configured a remote syslog server and send all logs that way. I receive all logs about block / pass rules but no information about NAT rules.

Background is, we have a VPN Gateway with some 1000 users which are natted to 4 IP adresses. If we have users with infected devices we get the information from our CERT, but they send us the external nadded ip, port and timestamp.
To get the real user i need the nat states, which internal IP triggered the CERT Rule for BOT/Virus/Worm traffic. Normally we geht the information with a 24-48h delay.

Nat RULE certainly has the Log option enabled. I also see the NAT State Rules unter Firewall/Diagnostics/pfInfo. But no logging.

Any ideas, is it a Bug?

regards Martin

[matzej]

Hi,

anybody observing same issue?
Is there another way to solve the nat / internal issue? can i resolve external ip adresses/port/timestamp to internal ip bevor nat happens?

regards Martin

[Fright]

you can describe the problem in more detail?
why "pass" rules in log not showing "real" ip?
if need "rdr" rules in log, try to disable logging on associated "pass" rule. then you will see "rdr" in log

[matzej]

Hi,

will try to describe more detailed.

Internal IP 192.168.1.10
Makes outbound connection to from source port 33333 to 1.1.1.1:80
External IP is 2.2.2.2

What i see in the log is a pass rule on wan interface:
pass 2.2.2.2:RANDOMPORT => 1.1.1.1:80

but what i need is 192.168.1.1:33333 NATTED to 2.2.2.2:RANDOMPORT => 1.1.1.1:80

Example:
75,,,0,bxe0,match,pass,out,4,0x0,,127,12270,0,DF,6,tcp,52,193.16.xxx.yyy,87.106.18.a,61996,443,0,S,2766616536,,65535,,mss;nop;wscale;nop;nop;sackOK

87.106.18.a Target running C&C Server on port 443
193.16.xxx.yyy my external IP.
bxe0 wan interface

Example Cert Information:
IP-Adresse:   193.16.xxx.yyy
Zuletzt gesehen            IP-Protokoll   Quellport          Ziel-IP    Zielport  Malware
------------------------------------------------------------------------------
2020-11-19T12:33:49+01:00                     17195    87.106.18.a        443  Gootkit
   occurences: 1, target_url: lbegardingstorque.com/rbody320

With that information i can not track which internal user did that connection.
What i need is the NAT information:
192.168.2.10:33333 was natted to 193.16.xxx.yyy Port 17195.

looks like NAT rule is executed bevor pass rule, and NAT rule does not log anything.

regards Martin

[Fright]

Hi
Do I understand correctly that this is an outgoing connection?
In this case, you need to enable logging in the rule on the LAN interface (or any ingress for this requests), not WAN

[matzej]

Hi,

yes - it is outgoing.

I have added a Loging Rule on LAN, now.
Now i have 2 log entries.
LAN:
192.168.1.10:33333 => Target:443
WAN
ExternalIP:RANDOMPORT => Target:443

I have to combine the 2 log entries, and it does only work if RANDOMPORT is not reused in the same period, or after some seconds. Will help as workaround.

More satisfying would be the NAT rule logs the traffic, NAT stuff because it knows all about internal ports and external ports.
And why is there a LOG option in NAT rule when it is good for nothing?

M.

[Fright]

AFAIK:
you cannot get all the information уou need (source ip and port, translated ip and port) from single line of log (nat rule string in log will contain same info as "pass" string: source ip:port and dest ip:port. without translated address). so you need to combine to lines.

if you not use "modulate state" in "pass out" rule, pf use same initial sequence number as client.
so you can use sequence number in log strings to combine entries

And why is there a LOG option in NAT rule when it is good for nothing?

as i said. you can see nat rules in log if you disable logging for corresponding "pass out" rule (i think its by pf design. not to log packet twice)

[matzej]

Hi,

got it.
"modulate state" works only for tcp - when i use that i have to multiply my rules, one for tcp, one for udp, icmp ...

Will try to catch users within time period of access.
Also have installed IDS, but that seems to run not on openvpn interface, only on outside, so same problem - source allready natted.

thanks for clarification.

M.

[Fright]

"modulate state" works only for tcp - when i use that i have to multiply my rules, one for tcp, one for udp, icmp ..

I tried to say the opposite: since the "modulate state" directive is not used by default, pf uses the same sequence number as received from the client and you can use that when concatenating strings.
but you are right that this can only be used for TCP

i have some idea about tagging. but not tested yet

[Fright]

looked more closely. the idea with tags was stupid. pf does not add such field to the packet to pflog.
it remains to be hoped that the information from CERT (about the target address, port and exact time) is sufficient to identify the client from the ingress interface logs

[matzej]

Hi,

thanks for investigating.

But that could become an issue for more users, perhaps this should considered a feature request.
Everyone using this in comercial / university environment would get such problems.

regards M.

[Fright]

hi!
yes. but its not OPN issue. PF

https://github.com/italovalcy/pfnattrack

[svenny]

Hi all, I'm also interested in this feature. Is it possible to install pfnattrack without breaking something in OPNsense?

Many thanks.

Cheers,
Svenny