Project

General

Profile

Bug #1282

Default drop policy should log?

Added by rancor rancor over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
02/14/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

I have spent hours of debug different network configurations and VPN configurations (IPsec and OpenVPN) just to find out that I was making a very simple mistake but since I got "blind" my own mistake I didn't realize what wrong I did.

I was mislead by my own conception that all factory DROP statement was with LOG option but when I used pfctl -srules I saw what the problem was.

It's maybe not a bug but it's at least a humble feature request to change all default drop statements with LOG option to make it more simple to debug what's going on. At least on advanced tab for the firewall settings it should be an option to add LOG to all drop statements.

Best regards rancor

History

#1 Updated by Jim Pingle over 8 years ago

  • Status changed from New to Rejected

It already does log:

block in log all label "Default deny rule" 
block out log all label "Default deny rule" 

You may have disabled it under Status > System Logs, on the Settings tab.

#2 Updated by rancor rancor over 8 years ago

I do not agree and I do have logging on by default on block

I have 3 interfaces, WAN, LAN and DMZ

I added one new interface called DMZ and then a OpenVPN tunnel to LAN and made 3 NAT from "stock" install.

Traffic from the tunnel to LAN is blocked without any notice at all but when I allowed any from any to any on the OpenVPN interface it started to work. If there was a "block log" rule it should noticed me about that was blocked but the log did not gave me any hints

This is my rules


$ pfctl -srules
scrub in on sis0 all fragment reassemble
scrub in on sis1 all fragment reassemble
scrub in on sis2 all fragment reassemble
anchor "relayd/*" all
block drop in log all label "Default deny rule" 
block drop out log all label "Default deny rule" 
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c> to any label "Block snort2c hosts" 
block drop quick from any to <snort2c> label "Block snort2c hosts" 
block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout" 
block drop in log quick proto tcp from <webConfiguratorlockout> to any port = http label "webConfiguratorlockout" 
block drop in quick from <virusprot> to any label "virusprot overload table" 
block drop in on ! sis0 inet from 85.230.x.0/21 to any
block drop in inet from 85.230.x.x to any
block drop in on sis0 inet6 from fe80::200:24ff:x:x to any
pass in on sis0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" 
pass out on sis0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" 
block drop in on ! sis1 inet from 192.168.10.0/24 to any
block drop in inet from 192.168.10.1 to any
block drop in on sis1 inet6 from fe80::200:24ff:x:x to any
pass in on sis1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" 
pass in on sis1 inet proto udp from any port = bootpc to 192.168.10.1 port = bootps keep state label "allow access to DHCP server" 
pass out on sis1 inet proto udp from 192.168.10.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" 
block drop in on ! sis2 inet from 10.1.100.0/24 to any
block drop in inet from 10.1.100.1 to any
block drop in on sis2 inet6 from fe80::200:24ff:x:x to any
pass in on sis2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" 
pass in on sis2 inet proto udp from any port = bootpc to 10.1.100.1 port = bootps keep state label "allow access to DHCP server" 
pass out on sis2 inet proto udp from 10.1.100.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" 
pass in on lo0 all flags S/SA keep state label "pass loopback" 
pass out on lo0 all flags S/SA keep state label "pass loopback" 
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" 
pass out route-to (sis0 85.230.168.1) inet from 85.230.x.x to ! 85.230.x.0/21 flags S/SA keep state allow-opts label "let out anything from firewall host itself" 
pass in quick on sis1 proto tcp from any to (sis1) port = http flags S/SA keep state label "anti-lockout rule" 
pass in quick on sis0 reply-to (sis0 85.230.x.1) inet proto udp from any to 85.230.x.x port = 1194 keep state label "USER_RULE" 
pass in quick on sis0 reply-to (sis0 85.230.x.1) inet proto tcp from any to 192.168.10.220 flags S/SA keep state label "USER_RULE: NAT " 
pass in quick on sis0 reply-to (sis0 85.230.x.1) inet proto tcp from any to 192.168.10.200 flags S/SA keep state label "USER_RULE: NAT " 
pass in quick on sis0 reply-to (sis0 85.230.x.1) inet proto udp from any to 192.168.10.200 keep state label "USER_RULE: NAT " 
pass in quick on sis1 inet from 192.168.10.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" 
anchor "tftp-proxy/*" all
anchor "miniupnpd" all

Also available in: Atom PDF