Bug #15741
open
Firewall Logs reporting high volume of rule (@0) entries on OpenVPN interface
Added by Jeff Kuehl 2 months ago.
Updated about 2 months ago.
Affected Plus Version:
24.03
Affected Architecture:
amd64
Description
I found I am receiving numerous of these "(@0)" listings on any OpenVpn tunnel, which seems to be every piece of traffic going over that interface?
There are no rules setup on that OpenVPN interface. Firewall logging is setup with 'Manage Firewall Log' settings has '...default block rules...' checked, and '...default pass rules...' un-checked.
Files
- Status changed from New to Incomplete
The exact rule can be found using the rule identifier and/or rule number on the state, or checking the generated rules file in /tmp/rules.debug. I'm not aware of any system-generated rule that has that description.
I’ll check the rules.debug file for (@) but that’s the only ID / number each line gives me. I don’t think I explicitly referred to it, but I did attach the image of the ‘Firewall Logs’ page.
It may not be the description, but the rule number. You can cross-reference the rule and state with pfctl -vvss and pfctl -vvsr.
Today, I did make changes to a OVPN client and there are a great amount of entries with @4 now.
I did find the listings with pfctl -vvsr and have added them below; their are a total of 17 'scrub' entries and 570 of the the pass/block entries.
The rules.debug had no "@" rules/entries in it.
@0 scrub from any to <vpn_networks:*> max-mss 1400 fragment no reassemble
Immelasak Immelasak scrub from <vpn_networks:*> to any max-mss 1400 fragment no reassemble
@2 scrub on igb0 inet all random-id max-mss 1460 fragment reassemble
@3 scrub on igb0 inet6 all random-id max-mss 1440 fragment reassemble
@4 scrub on igb1 inet all random-id fragment reassemble
------------------------------------------------------------
@0 anchor "openvpn/*" all
[ Evaluations: 2058494 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]
Immelasak Immelasak anchor "ipsec/*" all
[ Evaluations: 2058494 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]
@2 pass in quick on lo0 inet6 all flags S/SA keep state (if-bound) label "pass IPv6 loopback" ridentifier 1000000001
[ Evaluations: 2058494 Packets: 3401 Bytes: 387959 States: 12 ]
[ Inserted: uid 0 pid 0 State Creations: 56 ]
[ Last Active Time: N/A ]
@3 pass out quick on lo0 inet6 all flags S/SA keep state (if-bound) label "pass IPv6 loopback" ridentifier 1000000002
[ Evaluations: 37011 Packets: 3401 Bytes: 387959 States: 12 ]
[ Inserted: uid 0 pid 0 State Creations: 56 ]
[ Last Active Time: N/A ]
@4 block drop in log quick inet6 all label "Block all IPv6" ridentifier 1000000003
[ Evaluations: 1983461 Packets: 9253 Bytes: 3000164 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]
If rules are being added via an external service, it may be from there as well. Check the anchor rules by running pfSsh.php playback pfanchordrill.
Also available in: Atom
PDF
Updated by 
Updated by 