firewall: NAT rule logging improvements #5005
Comments
|
Hi, If you need any further info please let me know :) Kind regards |
|
Additional information from KeyHand here: https://forum.opnsense.org/index.php?topic=23192.msg112811#msg112811 |
pallebone
changed the title
|
Hi Peter, This is a fun one. ;) When using port forwards and using Filter rule association "pass" with logging enabled will pop up the traffic in the firewall log:
The problem here is as described a limitation of the filterlog output. However, a state is being created for this redirect rule:
And you can see the NAT origin... There are two TODO's here:
Cheers, |
|
Hello Franco, Thank you for your reply. I tried to follow your screenshots but I do not have a "Firewall:Diagnostics:States" page. I only have States dump, States reset, or States summary. This page you have accessed I cannot find. In addition, if you would like me to check anything please let me know and I will do so :) Kind regards, |
|
Hi Pete, The page I showed is from the upcoming 21.7 release. It sort of replaces the states dump page, although the NAT information is on that older page as well. With an associated pass rule, using inspect on the development version allows to directly fetch the associated states. Though the logging is incorrect IMO as rdr is no longer logged (not the final action I suppose):
Cheers, |
fichtner
changed the title
|
Hi Pete, With opnsense/src@bdb244c37d and a separate firewall pass rule it looks like this now:
I suppose seeing NAT log pre-NAT and firewall rule post-NAT is the desired result? :) Cheers, |
|
Hi Franco, This is very interesting. how did you manage to achieve this result? I do not use the dev version... is there any way I can test this to check what happens my side? It looks like it is showing both the original destination and the destination after the rewrite occurs in your screenshot which is excellent. Kind regards |
|
The snapshot kernel to try is: Cheers, |
|
Hi Franco, Thank you for your reply. Apologies for bothering you further but I was not able to complete this. This is the output: Enter an option: 8 root@OPNsense:~ # opnsense-update -zkr 21.7.r1_1 Kind regards |
|
Hi Pete, Which mirror are you using? The default mirror should be good. The file was only published today. Cheers, |
|
Apologies again. It must be something my side. I cannot get it to work. My settings are: Could it be because I am using libressl (not a default setting). Sorry I feel bad wasting your time. This is most likely due to my specific config its not working so apologies again in advance. Kind regards |
|
Sorry, my fault... it's actually: |
No problem, actually it was opnsense-update -zkr 21.7.r_1 but I managed to guess that myself so it has installed. I will test and come back to you in a little while :) (without the z it fails) |
|
I can confirm that the new patch indeed fixes it - see below: All info is now exposed as requested in the OP. Thank you very much for this. Can I ask how you managed to add this functionality into OpnSense? It seems like it would have been a nightmare to add. Kind regards, |
|
Hi Peter, It was a mix of reading a bit of source code and remembering that logging already worked somehow. Glad we could put the pieces together. This will likely end up in OPNsense 21.7, but not the RC1 to be released next week. To keep the code in place lock "kernel" package from the firmware packages tab. Close then? :) Cheers, |
fichtner
added
feature
|
Yes please. Thank you for your time. It is appreciated. Kind regards |
See also opnsense/core#5005 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D31504
See also opnsense/core#5005 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D31504
Important notices
Our forum is located at https://forum.opnsense.org , please consider joining discussions there in stead of using GitHub for these matters.
Before you ask a new question, we ask you kindly to acknowledge the following:
Hello,
I tried asking my question on the forum, but nobody knows the answer.
https://forum.opnsense.org/index.php?topic=23192.0
Im happy to either continue on the forum or here depending on your preference, but I dont know how to get this information from the logs.
Please let me know your preferred method to proceed and I will do my best to accommodate as you require :)
I believe this information should be exposed because it has security implications, being able to monitor what external addresses internal IP's are accessing.
Looking forward to your insight :) Hope you are having a good day so far :)
Kind regards
Peter
The text was updated successfully, but these errors were encountered: