Project

General

Profile

Actions

Bug #15741

open

Firewall Logs reporting high volume of rule (@0) entries on OpenVPN interface

Added by Jeff Kuehl 3 months ago. Updated 3 months ago.

Status:
Incomplete
Priority:
Low
Assignee:
-
Category:
Logging
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
24.03
Affected Architecture:
amd64

Description

I found I am receiving numerous of these "(@0)" listings on any OpenVpn tunnel, which seems to be every piece of traffic going over that interface?

There are no rules setup on that OpenVPN interface. Firewall logging is setup with 'Manage Firewall Log' settings has '...default block rules...' checked, and '...default pass rules...' un-checked.


Files

chrome_rI5Cfa4Mtl.jpg (165 KB) chrome_rI5Cfa4Mtl.jpg Jeff Kuehl, 09/20/2024 10:29 PM
Actions #1

Updated by Marcos M 3 months ago

  • Status changed from New to Incomplete

The exact rule can be found using the rule identifier and/or rule number on the state, or checking the generated rules file in /tmp/rules.debug. I'm not aware of any system-generated rule that has that description.

Actions #2

Updated by Jeff Kuehl 3 months ago

I’ll check the rules.debug file for (@) but that’s the only ID / number each line gives me. I don’t think I explicitly referred to it, but I did attach the image of the ‘Firewall Logs’ page.

Actions #3

Updated by Marcos M 3 months ago

It may not be the description, but the rule number. You can cross-reference the rule and state with pfctl -vvss and pfctl -vvsr.

Actions #4

Updated by Jeff Kuehl 3 months ago

Today, I did make changes to a OVPN client and there are a great amount of entries with @4 now.

I did find the listings with pfctl -vvsr and have added them below; their are a total of 17 'scrub' entries and 570 of the the pass/block entries.

The rules.debug had no "@" rules/entries in it.

@0 scrub from any to <vpn_networks:*> max-mss 1400 fragment no reassemble
Immelasak Immelasak scrub from <vpn_networks:*> to any max-mss 1400 fragment no reassemble
@2 scrub on igb0 inet all random-id max-mss 1460 fragment reassemble
@3 scrub on igb0 inet6 all random-id max-mss 1440 fragment reassemble
@4 scrub on igb1 inet all random-id fragment reassemble

------------------------------------------------------------
@0 anchor "openvpn/*" all
[ Evaluations: 2058494 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]
Immelasak Immelasak anchor "ipsec/*" all
[ Evaluations: 2058494 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]
@2 pass in quick on lo0 inet6 all flags S/SA keep state (if-bound) label "pass IPv6 loopback" ridentifier 1000000001
[ Evaluations: 2058494 Packets: 3401 Bytes: 387959 States: 12 ]
[ Inserted: uid 0 pid 0 State Creations: 56 ]
[ Last Active Time: N/A ]
@3 pass out quick on lo0 inet6 all flags S/SA keep state (if-bound) label "pass IPv6 loopback" ridentifier 1000000002
[ Evaluations: 37011 Packets: 3401 Bytes: 387959 States: 12 ]
[ Inserted: uid 0 pid 0 State Creations: 56 ]
[ Last Active Time: N/A ]
@4 block drop in log quick inet6 all label "Block all IPv6" ridentifier 1000000003
[ Evaluations: 1983461 Packets: 9253 Bytes: 3000164 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]

Actions #5

Updated by Marcos M 3 months ago

If rules are being added via an external service, it may be from there as well. Check the anchor rules by running pfSsh.php playback pfanchordrill.

Actions

Also available in: Atom PDF