Problem with Firewall Live View

Started by mooh, June 25, 2026, 06:45:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 25, 2026, 06:45:55 PM
Turning off the logging of a firewall rule, the Live View still shows events caused by it but leaves the Label field empty. Additionally, when clicking on the i button of that event, followed by clicking the rid, the rule isn't found. The browser will open an empty new frame/window and close it immediately instead of showing the relevant rule editing dialog. It looks like the association between log file entry and firewall rule only exists while logging is turned on. I hope this is only a cosmetic error.
June 26, 2026, 03:59:25 AM #1
Is it possible that you have set up another rule without a label to log records?
Every morning, I wake up and check the Forbes list first. If I'm not on it, I go to work.
June 26, 2026, 05:19:32 AM #2
Quote from: wincent on June 26, 2026, 03:59:25 AMIs it possible that you have set up another rule without a label to log records?

This happens when you disable logging of a rule. If I remember correctly, I observed this on 25.7 too.
June 26, 2026, 06:48:11 AM #3
And is there an apply happening in this flow as well? Are you waiting to reopen the live log until this particular apply for the rules is complete?


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 06:05:23 AM #4 Last Edit: Today at 06:16:56 AM by lmoore
Quote from: franco on June 26, 2026, 06:48:11 AMAnd is there an apply happening in this flow as well? Are you waiting to reopen the live log until this particular apply for the rules is complete?

@franco In my case I don't see this as a real problem as I run multiple tabs in the browser. Changes are made in one and Live View is running in another. After a rule has had logging disabled I would refresh the Live View tab.

On a separate note regarding unexpected entries in Live View, I updated to OPNsense 26.1.10 on or around the 18th of June. On the 20th of June, I added a new VLAN and enabled legacy ISC DHCP on this interface. The interface was then added to an existing Firewall Group. In addition, a rule in this group was updated to include the new interface address. Another change was made later. This was to include network aliases for Cortex Xpanse PAN probes (https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity) and to create firewall rules (IPv4 & IPv6) so they could be explicitly logged. Later on, I observed in Live View that when a pass rule was logged, another entry would be listed immediately after, however, it had different firewall description field.

Refreshing the browser did not overcome the display issue, so OPNsense was rebooted and the issue went away. I didn't keep the screen shots of this anomaly, however, I can still view the logs in question using TUI (https://forum.opnsense.org/index.php?topic=49879.msg268998#msg268998). Viewing the details of a duplicated entry reveals a different Label value.

First entry:

Details
Time:             Sun, 21 Jun 2026 07:02:49 +0800
Label:            608f5cdb-014b-4ed2-a3db-543251331847
Action:           pass
Reason:           match
Direction:        in
Interface:        re0
IPVersion:        4
ProtocolName:     udp
Source:           aaa.aaa.aaa.aaa
SourcePort:       37882
Destination:      ddd.ddd.ddd.ddd
DestinationPort:  9002
Length:           176
DSCP:             0x0
Flags:            none
ID:               5096
Offset:           0
TTL:              116
DataLength:       156

Duplicated entry with erroneous Label field:

Details
Time:             Sun, 21 Jun 2026 07:02:49 +0800
Label:            e6beac25-38ef-44ce-92ac-cc068b3a066c
Action:           pass
Reason:           match
Direction:        in
Interface:        re0
IPVersion:        4
ProtocolName:     udp
Source:           aaa.aaa.aaa.aaa
SourcePort:       37882
Destination:      ddd.ddd.ddd.ddd
DestinationPort:  9002
Length:           176
DSCP:             0x0
Flags:            none
ID:               5096
Offset:           0
TTL:              116
DataLength:       156

Firewall rule from /tmp/rules.debug with label "e6beac25-38ef-44ce-92ac-cc068b3a066c". Note: this is an outbound rule:

block return out log quick on EGRESS inet from {any} to $bitwire_it_outbound_blocklist label "e6beac25-38ef-44ce-92ac-cc068b3a066c" # Outbound Bitwire-IT Block List

I can't come up with an explanation for the duplicated, but erroneously labelled log entries.

I'm not saying this is related to 26.1.10, however, the previous time I added a new interface and rules to OPNsense would have been around February/March this year.

Cheers,

Larry.
Print
Go Up Pages1
User actions