Project

General

Profile

Actions

Bug #13209

open

Parsing Filter log by pfBlockerNG creates IP Block log with Source/Destination mixed up or wrong Direcion

Added by Azamat Khakimyanov about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Low
Assignee:
Viktor Gurov
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

According to our customer he got weird pfBlockeNG log in 'ip_block.log' file.
For example
May 20 16:23:12,1653043863, ixl3 ,WAN,block,4,6,TCP-S, 179.x.x.x , 77.y.y.y ,37221,81, out ,BE,pfB_PRI1_v4,77.y.y.0/21,BE_v4,Unknown,Unknown,Unknown,+
where
  1. 179.x.x.x is external IP
  2. 77.y.y.y is his local IP
  3. ixl3 is his main WAN port
    so for traffic from 179.x.x.x to 77.y.y.y on WAN the direction must be IN but not OUT

I think parsing function pfb_daemon_filterlog from https://gist.githubusercontent.com/BBcan177/7cb8635199446866d511b97166d65296/raw/ mixes up Source and Destination IPs or inverts Direction.

Actions #2

Updated by Djerk Geurts about 1 month ago

Happy to provide more detail if needed.

Regarding the interfaces, we actually have 4 wan interfaces and all internal connections are dual attached using FRR BGP routed connections.

We see log entries for firewall destined traffic reported correctly. But traffic received on a s
wan interface routed to the DMZ is reported as out-bound traffic. Thus pfblockerNG provides (ASN, object etc) details on the (DMZ) destination rather than source of the logged traffic.

Actions #3

Updated by Djerk Geurts about 1 month ago

Azamat Khakimyanov wrote:

I think parsing function pfb_daemon_filterlog from https://gist.githubusercontent.com/BBcan177/7cb8635199446866d511b97166d65296/raw/ mixes up Source and Destination IPs or inverts Direction.

Could this be related to our 4 WAN interface config? We're using a gateway group, and due to GBP routing DMZ hosts aren't seen as directly connected to the firewall, aka there's a gateway required to reach them.

Actions

Also available in: Atom PDF