[solved] firewall logging seems to be buggy

Started by Sheldon, March 25, 2021, 03:34:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 25, 2021, 03:34:49 PM Last Edit: March 26, 2021, 11:04:23 AM by Sheldon
I have been using OPNsense for a few weeks now and everything works as intended. There are just a few things that, well, it works, but it looks buggy. One of these things is the firewall logging.

I created a screenshot of the firewall log. This screenshot contains 3 sets of examples.

1
I can not finde a rule "pass loopback". Also when I read this log entry, I would think it is based on an outgoing HTTPS connection, but not a loopback connection. This doesn't make sense to me, it just seems to be wrong.

2
I understand there is an automatically created rule "anti-lockout rule" to ensure access to the admin-GUI of OPNsense. When I changed the system settings from HTTP to HTTPS, OPNsense automatically adjusted this rule from port 80 to 443. When I changed the system settings again, changing the port from 443 to 444, this rule again got adjusted automatically. So the "anti-lockout rule" itself is not buggy.

At that time, when I changed the system settings, the logging was fine. But now, in this example, it looks like some DNS requests (UDP:53) got logged as access to the admin-GUI (TCP:444). This is wrong, but I don't know why.

3
There are a few rules to "allow access to DHCP server", they are created automatically. But these examples here look like NTP requests. I don't know why they are logged as DHCP.



When looking at these examples, one might think that only automatically created rules are affected. But I had other cases where my own rules were involved. This started a few days ago, but I can't tell which changes could have caused this. Some log entries are still correct. Reboot didn't help. I could assume a buggy configuration, do a factory reset and configure everything from scratch, but I don't know if this bug will occur again a few days later.

Does anyone have an idea how to fix this without a factory reset?
March 26, 2021, 06:49:10 AM #1
QuoteI can not finde a rule "pass loopback".
hardcoded rule. you can see it if you go to /firewall_rules.php?if=loopback

Quotebut I can't tell which changes could have caused this. Some log entries are still correct
this can happen immediately after making some changes to the rules and only for entries in the log BEFORE making changes. if this continues for new records then something is wrong. can you try to change any rule, apply the changes and check Live View? are there any errors in the General Log after this?
March 26, 2021, 11:04:07 AM #2
Quote
QuoteI can not finde a rule "pass loopback".
hardcoded rule. you can see it if you go to /firewall_rules.php?if=loopback
Interesting! The menu Firewall -> Rules -> Loopback leads to /firewall_rules.php?if=lo0, which does not show any rules. When I use your link, then I can see two automatically generated rules, pass loopback for IPv4 and IPv6.

Quotethis can happen immediately after making some changes to the rules and only for entries in the log BEFORE making changes. if this continues for new records then something is wrong. can you try to change any rule, apply the changes and check Live View? are there any errors in the General Log after this?
Confirmed, just the older entries are affected, entries after the rule changes are displayed correctly.

That is helpful information. Thank you, Fright!


TIL: Modifying the firewall's rules breaks the reference integrity of its older log entries.
Print
Go Up Pages1
User actions