The pfSense Store

Author Topic: remote syslog  (Read 2255 times)

0 Members and 1 Guest are viewing this topic.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 263
  • Karma: +6/-0
    • View Profile
remote syslog
« on: February 02, 2015, 03:14:03 pm »
I'm seeing this in my remote syslog server since upgrade to 2.2:

FILTERLOG : 148,16777216,,100000101,em0_vlan3,ip-option,pass,in,4,0x0,,1,43293,0,none,2,igmp,32,192.168.50.31,224.0.0.252,datalength=8

any ideas? it seems a default rule logging but I've disabled it in settings. However, it's only igmp.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: remote syslog
« Reply #1 on: February 02, 2015, 08:03:12 pm »
That's the ID of the default LAN rule, you have logging enabled on the default LAN rule it appears?

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 263
  • Karma: +6/-0
    • View Profile
Re: remote syslog
« Reply #2 on: February 03, 2015, 04:11:05 am »
I don't. I've tryed enabling and disabling the check mark for the default rule. Didn't work. I have pfblockerng and snort installed. Maybe one package changed something?

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: remote syslog
« Reply #3 on: February 03, 2015, 01:39:40 pm »
what does:

Code: [Select]
grep 100000101 /tmp/rules.debug
show?

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 263
  • Karma: +6/-0
    • View Profile
Re: remote syslog
« Reply #4 on: February 03, 2015, 02:53:03 pm »
Code: [Select]
root: grep 100000101 /tmp/rules.debug
pass  in  quick  on $LAN inet proto tcp  from 192.168.50.0/24  to <negate_networks>  port $outgoing_ports tracker 0100000101 flags S/SA keep state  dnqueue( 1,2)  label "NEGATE_ROUTE: Negate policy routing for destination"
pass  in  quick  on $LAN  $GWGW_failover inet proto tcp  from 192.168.50.0/24 to any port $outgoing_ports tracker 0100000101 flags S/SA keep state  dnqueue( 1,2)  label "USER_RULE: Default allow LAN -> internet to any rule"

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 263
  • Karma: +6/-0
    • View Profile
Re: remote syslog
« Reply #5 on: February 03, 2015, 03:20:00 pm »
Well, seems like when you're sick and go to a doctor and all you're diseases go away… I have this problem since 24+- jan. Decided to post it and it goes away.. nice. I've changed a few rules and aliases and I have never since saw this on the logs again. I have 200+ pages of this error in observium. It stopped now. Is there anything I can do to help diagnose? I have backups of previous configs. I can try to revert to check. Do you think it's worth it?
« Last Edit: February 03, 2015, 04:18:21 pm by Hugovsky »

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: remote syslog
« Reply #6 on: February 05, 2015, 03:11:51 pm »
Do you see any other logs with that same tracker ID?

It might have been logging things with IP options set for some reason, though can't say I've ever seen or heard of that.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 263
  • Karma: +6/-0
    • View Profile
Re: remote syslog
« Reply #7 on: February 05, 2015, 03:48:31 pm »
I think I've found the problem. I only get those if I enable logging in pfBlockerNG. Either individual list or in global in general tab.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 263
  • Karma: +6/-0
    • View Profile
Re: remote syslog
« Reply #8 on: February 05, 2015, 03:49:37 pm »
Maybe something about the way the package logs? Should I post in pfBlockerNG thread?

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4613
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: remote syslog
« Reply #9 on: February 06, 2015, 03:19:48 am »
I was looking into Firewall Log GUI issues a few weeks ago and it was an issue with IGMP packets not being parsed and displayed on the GUI:
Firewall Log does not display logged IGMP packets
https://github.com/pfsense/pfsense/pull/1456
https://forum.pfsense.org/index.php?topic=87723.0

At that time I noticed that IGMP packets seemed to always come in the logs, even if a matching rule had logging off. The rule could be pass or block. I never got back to really test and see exactly what combination was the cause.

I will have a look again now and see if I can reproduce it...
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4613
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: remote syslog
« Reply #10 on: February 06, 2015, 04:04:47 am »
Here is an example of an IGMP packet being logged against a pass rule with no logging on.
In my LAN rules I have a pass rule from LANnet to everywhere that is not "INF_subnets" (not the company intranet) and sending it to gateway group Balanced_Traffic. (see screenshot)
Then pass anything else from LANnet straight to the routing table (should be company intranet traffic)
Then block and log everything else (should not be anything else to see).

In /tmp/rules.debug this has:
Code: [Select]
pass  in  quick  on $LAN  $GWBalanced_Traffic inet from 10.49.80.0/22 to ! $INF_subnets tracker 1418272799 keep state  label "USER_RULE: Send other LAN traffic to WiMax first"
pass  in  quick  on $LAN inet from 10.49.80.0/22 to any tracker 1418272800 keep state  label "USER_RULE: Default allow LAN to any rule"
block  in log  quick  on $LAN inet from any to any tracker 1418272801  label "USER_RULE: Block and log anything else not from LAN net"

But IGMP packets passed by rule 1418272799  appear in the firewall log - I can see them in text form with:
Code: [Select]
clog /var/log/filter.log | grep igmp
and after applying this commit to fix display of IGMP in the firewall log GUI, https://github.com/pfsense/pfsense/commit/091195f09e627f575bb195006d255ad4e85dfef7 I can see them in the GUI, like the screenshot.

Seems like a bonus feature?  :P
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: remote syslog
« Reply #11 on: February 10, 2015, 11:27:49 am »
I see them too :-( How can we make them stop? lol

Code: [Select]
Feb 10 11:24:57 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:24:57 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:25:02 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16041,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16042,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16043,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16044,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:50:43 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0x0,,1,16047,0,none,2,igmp,40,192.168.0.100,224.0.0.22,datalength=16
Feb 10 11:51:48 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:48 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:51 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:51 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 11:51:54 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:45 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:48 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:49 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:49 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:12:51 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:27 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:27 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:29 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:29 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16
Feb 10 12:13:34 pfsense filterlog: 195,16777216,,1422118959,em2,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.0.153,224.0.0.22,datalength=16

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4613
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: remote syslog
« Reply #12 on: February 10, 2015, 12:04:04 pm »
Quote
I see them too :-( How can we make them stop? lol
I raised a bug report: https://redmine.pfsense.org/issues/4383
I could not see where I could fix this in pfSense PHP code. I concluded that it is somewhere in "pf" in real compiled code from pfSense-tools, so I will let the devs get onto it in due course.
I'll resist using the compiler as long as I can find interpreted code bugs to fix  ;)
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/