Project

General

Profile

Actions

Feature #11975

closed

Simplify NAT logging to conforme more easily with local/regional laws

Added by Guillaume LUCAS 8 months ago. Updated 8 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
-
Start date:
05/29/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

The French law requires from ISPs to log "who used this IP address at this timestamp?" informations for a year.

For our public-addressed subnets, it's easy: our IPAM memorize association between an IP addresse and a person.
For our RFC1918-addressed subnets, pfSense must log timestamp + private IP + private port + destination IP + destination port.

Constraints (from https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html):
  • NAT rules don't have a "log" checkbox
  • NAT processing is done before filtering so adding a logging rule on WAN interface fails (RFC1918 IP adresses was already translated)
  • Only floating filtering rules can match without performing pass/drop action
I think about two ways of doing it:
1) Add a floating rule with following parameters:
  • Action: match
  • Interface: all internal private-addressed subnets
  • Direction: in
  • Protocol: any
  • Source: any
  • Destination: invert match + alias with all of our networks (because no need of recording inter-VLANs flows)
  • "Log" checkbox: checked
    OR
    2) Check "log" checkbox on each pass rule on each private-addressed interface (as previous, add alias in destination to disable recording of inter-VLANs traffic).
  • Variant with floating rule on each private-addressed interface + tagged match.

So, I have a technical solution so it's OK for me.

My feature request is: can we imagine a mechanism to automatically permit logging of private-addressed subnets like filter rule auto creation on NAT rule adding? I see two ways to do that:
  • NAT rules with a "log" checkbox? I think that it's impossible because of PF's limit but maybe I'm wrong.
    OR
  • A checkbox in general settings which creates additionnal (floating?) rules. Bonus if it don't log inter-VLANs trafic (auto-detection of internal subnets? pre-filled list of internal networks?).

Feature request justification: have a easier technical solution to conforme with local/regional laws around the globe and simplify the choice of decision-makers in favor of pfSense.


Related issues

Is duplicate of Feature #7800: Add option for state loggingNew08/22/2017

Actions
Actions #1

Updated by Jim Pingle 8 months ago

  • Status changed from New to Duplicate

Duplicate of #7800

We're limited at the moment by what pf offers as data for logging, and last I saw, it doesn't support this. It's been a request for a while now.

Actions #2

Updated by Jim Pingle 8 months ago

  • Is duplicate of Feature #7800: Add option for state logging added
Actions

Also available in: Atom PDF