Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
I don't understand Firewall's Live Log
« previous
next »
Print
Pages: [
1
]
Author
Topic: I don't understand Firewall's Live Log (Read 5702 times)
c-mu
Full Member
Posts: 210
Karma: 5
I don't understand Firewall's Live Log
«
on:
February 18, 2022, 01:11:56 pm »
Hello,
I do not understand the live log. I see all sorts of information there, but when I specifically want to investigate a case for which there is a firewall rule, I don't see it.
Inside the rule there is a check mark "Log packets that are handled by this rule". For example, if I ping this server that is noted in the rule, it doesn't show up in the livelog. Why not?
I can put in a simple rule "icmp allow to server IP 1.2.3.4", I set the checkbox and look in the live log if it is being tracked. I start my ping (works) and watch the log but no entry to be found.
I keep running into this problem so the live log has never given me any benefit to date. I have then always used tcpdump on the console.
Am I missing something fundamental? It also doesn't matter which filter I use, i.e. whether I search for source , destination or "address", I don't see what I need.
Thank you for your time
Edit: is there an option to log every thing? I mean my log destination is a RAM disk with 30Gigs free space. Time Range? usually never needed the last past hours, only the time "now"
«
Last Edit: February 18, 2022, 01:15:04 pm by c-mu
»
Logged
tiermutter
Hero Member
Posts: 1099
Karma: 61
Re: I don't understand Firewall's Live Log
«
Reply #1 on:
February 18, 2022, 01:19:09 pm »
I never had such issues. Are you sure the rule is hit? You can inspect this with the "inspect" button (FW rules).
«
Last Edit: February 18, 2022, 01:21:19 pm by tiermutter
»
Logged
i am not an expert... just trying to help...
c-mu
Full Member
Posts: 210
Karma: 5
Re: I don't understand Firewall's Live Log
«
Reply #2 on:
February 18, 2022, 01:24:33 pm »
i am absolutely sure. For testing purposes I have installed an icmp rule at the top and armed it only for my client ip. If I forbid icmp, no ping comes through, if I allow it, it works again.
Logged
tiermutter
Hero Member
Posts: 1099
Karma: 61
Re: I don't understand Firewall's Live Log
«
Reply #3 on:
February 18, 2022, 01:31:26 pm »
I can confirm this for IPv6, tested with 22.1.1_3.
ICMPv6 is not shown in livelog, ICMPv4 is shown in livelog as expected.
Logged
i am not an expert... just trying to help...
tiermutter
Hero Member
Posts: 1099
Karma: 61
Re: I don't understand Firewall's Live Log
«
Reply #4 on:
February 18, 2022, 01:33:28 pm »
Sorry, too fast.... ICMPv6 is also shown in livelog.
WG0 2022-02-18T13:32:11 fd00:13:18::3 2a00:xxxx:xxxx:xx::xxx ipv6-icmp
Logged
i am not an expert... just trying to help...
c-mu
Full Member
Posts: 210
Karma: 5
Re: I don't understand Firewall's Live Log
«
Reply #5 on:
February 18, 2022, 01:54:36 pm »
I just noticed something : I can't find any livelog entries that run over openvpn. I also can't select an interface in the livelog filter that has to do with openvpn. VLANs yes, IPSec yes, but no openvpn.
Logged
tiermutter
Hero Member
Posts: 1099
Karma: 61
Re: I don't understand Firewall's Live Log
«
Reply #6 on:
February 18, 2022, 02:06:33 pm »
Same here, no possibility to select interface=ovpn, as I don´t have a OVPN interface added.
But every OVPN pass rule is logged, including ICMP.
Logged
i am not an expert... just trying to help...
wbk
Newbie
Posts: 41
Karma: 1
Re: I don't understand Firewall's Live Log
«
Reply #7 on:
February 28, 2022, 12:03:32 am »
It helped me quite a lot to add tags to rules, so that I could filter on them.
It also happens that a previous (not logged) rule captures the occurrence.
Turning the filter around might help as well: define all kinds of things you do not want to see, and turn of the auto refresh; then show a couple of hundred records.
I do agree, without being involved in the log daily, it is not quite straight forward what to look for. I have no suggestions for improvement though!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
I don't understand Firewall's Live Log