Log traffic only without pass/block/reject

Started by christophm, February 23, 2023, 09:34:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 23, 2023, 09:34:22 PM
Hi,

Is there a way to accomplish the following iptables-Rule with OPNsense?
Code Select
iptables -A FORWARD -d 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'

I'm unsure if "Set local tag"/"Match local tag" together with quick could help.
The "match" action as on pfsense does not seem to be available.

Thank you,
Christoph
February 25, 2023, 05:19:36 PM #1
Hi,

I'm not sure, if I understand you correctly. If your question is that specific rules get a marker or flag in the log file to filter for, the answer is no.

But, every rule has its own rule id (watch the row "rid", here it is like "02f4bab03..."). This id will be also transmitted to a syslog server.

But yes, it would be great, if the description/label would be sent along with syslog/plain view.

encore:
You can label your rules (it is called "Description" in the rule's definition page). Put in "**SUSPECT** some other description" and filter in the live view with "label contains **SUSPECT**"

Hope that helps
OPNsense consulting, installation, configuration and care by DU Consult
February 27, 2023, 08:51:01 AM #2
Hi Dennis,

thx for your answer.

What I'm searching for is to log the traffic only without applying a "pass/block/recject" action.

I've found the following "match" action in the pfsense docs.
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#match-action

Thank you,
Christoph
February 27, 2023, 09:19:58 AM #3
Doing nothing means "pass", doesn't it? So you can combine a pass rule with the desired logging action.

A packet arrives at your firewall - there are three possible things that might happen: it's passed, it's blocked, or it's rejected. What else do you have in mind?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 27, 2023, 09:49:28 AM #4
ok, I think if I combine "pass" with "quick" disabled, I can accomplish what I want to do.

I was actually unsure if I could potentially allow too much with "pass" so I would have preferred a "log only" action.

My intention is to use a blocklist and only log suspicious activity.
I really wanted to avoid a pass for a blocklist.

Christoph
February 27, 2023, 10:04:25 AM #5
sorry, I just tested it again and it does not work as desired with "pass" and "quick".

I've created a floating rule with
- action: pass
- quick: off
- source: any
- destination: specific suspicious ip

The problem is that this rule allows all traffic to "specific ip" wheres a "log only"/match rule would not allow anything additional on the firewall.

So, I don't have a solution for "log only" at the moment.
Anymore ideas?

Thank you,
Christoph
February 27, 2023, 11:17:14 AM #6 Last Edit: February 27, 2023, 02:02:54 PM by pmhausen
For any packet there are really only two courses of action - allow or deny. If there was such a thing as log only and there was no specific other rule in place, the "default deny everything" rule would be the one that matches in the end. So the packet gets denied.

If that is what you want, then create a deny and log rule - it really is that simple.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 27, 2023, 11:21:09 AM #7
Hello Dennis,

thx, "deny" and "log" works as you menteiond but "pass" and "log" is not the same as "log only".
The "pass" action allows potentielly more than the total ruleset does.

Christoph
February 27, 2023, 12:55:03 PM #8
Actually, it was @pmhausen :-)

But, after you clarified your request, I would also recommend to add a rule with the desired SRC/DEST/PORT combination, log it, but untick "Apply the action immediately on match."

The rule is used and logged, but it is not taken as the last resort of action and is processed also by the following rules.
OPNsense consulting, installation, configuration and care by DU Consult
February 28, 2023, 11:11:52 AM #9 Last Edit: February 28, 2023, 11:25:50 AM by christophm
Hi Dennis,

thx for your response and sorry for name mismatch ;)

I've tried your suggestion but it does not work with action "pass" and "quick" disabled.

Here is my example rule:
- Floating Rule for logging but not blocking suspicious traffic only:
Code Select
action: pass, src: any, dst: 8.8.8.8, log: yes, quick:no
8.8.8.8 is just an example here but it's fine for testing if DNS to Google is not allowed per default on your clients.

The result now is that this rule allows everything to 8.8.8.8.
You can test with "telnet 8.8.8.8 53".
Unfortunately that is not the desired behaviour.

What I wanted to accomplish is that I want to log only that traffic but don't allow more than allowed for other external IPs on the firewall.

Thank you,
Christoph
Print
Go Up Pages1
User actions