filter.log flooded with pass messages for ntp

Started by junicast, April 10, 2021, 02:34:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 10, 2021, 02:34:46 PM
Hi,

I'm running a virtualized (proxmox) OPNsense 21.1.4-amd64 and my filter.log is being flooded with forwarding packets coming from some Internet host to my public NTP server in the DMZ zone (vtnet3). As you might have guessed there there are PLENTY of log entries, because every connection results in one log record.
Example:
Code Select
Apr 10 14:17:25 fwrx1 filterlog[76179]: 96,,,0,vtnet3,match,pass,out,4,0x0,,53,0,0,DF,17,udp,76,100.8.111.177,5.111.222.89,36028,123,56
The filter rule allowing packets from WAN to my NTP host does not have logging enabled. Since I have public IPs for IPv4 as well as IPv6 I don't have to make use of NAT.

I walked over every single filter rule allowing traffc, making sure logging is disabled.
When I look into the WebGUI's Live View, every of those records has the label "let out anything from firewall host itself".
I click on the little "i" sign a more detailed view opens up where I can try to resolve the rule (rid).
When I hit the link it doesn't work and just gets me back to the details page I'm currently on.

On the console I try via
Code Select
pfctl -v -s rules
I search for the label ID and what I get is this line:
Code Select
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
  [ Evaluations: 2080083   Packets: 4026693   Bytes: 311644102   States: 32599 ]
  [ Inserted: uid 0 pid 85607 State Creations: 986670]

It looks like this is a rule for every communication that originates from the firewall but clearly this communication does NOT originate from the firewall but from a host on the internet to my ntp host.

Am I overllooking something but I can't find the clue to this problem.
April 13, 2021, 12:24:26 AM #1
Please move the topic if I accidentally put it in the wrong section?
Anybody got an idea what's going wrong here?
April 13, 2021, 01:09:51 AM #2
It seems like this is matching with the default pass rule? If so, there's an option to disable logging "pass" traffic from the default rules (under Settings/logging). Try to disable that and see if it resolves this? By default, pass rule logging is enabled on OPNsense for the pre-defined rulesets.
Print
Go Up Pages1
User actions