Logging firewall rules not showing?


I use VyOS 1.3rc6 as a home firewall/router.
I have set up some simple firewall rules using policies.

For some strange reason I am not able to see all the traffic shown in the logs.
For example I have a bunch of VMs that require internet access. I created the following rule

set firewall name INSIDE-OUTSIDE default-action ‘drop’
set firewall name INSIDE-OUTSIDE enable-default-log

set firewall name INSIDE-OUTSIDE rule 1101 action ‘accept’
set firewall name INSIDE-OUTSIDE rule 1101 description ‘Allow INSIDE VM Web OUTSIDE’
set firewall name INSIDE-OUTSIDE rule 1101 destination port ‘80,443’
set firewall name INSIDE-OUTSIDE rule 1101 log ‘enable’
set firewall name INSIDE-OUTSIDE rule 1101 protocol ‘tcp’
set firewall name INSIDE-OUTSIDE rule 1101 source group address-group ‘AG_VM_DEVICES’
set firewall name INSIDE-OUTSIDE rule 1101 state new ‘enable’

When I tail -f /var/log/messages | grep INSIDE-OUTSIDE-1101 I get nothing. If I use monitor firewall name INSIDE-OUTSIDE rule 1101 I also get nothing. Yet the VMs are able to access the web.

Is anyone able to tell me what am I missing? I’d like to see all traffic going in and out of the firewall.

Kind Regarded

Can you share full config? You can strip private data: “show config commands | strip-private”
Please, also provide VyOS version: “show version”

Hi n.fort,

Is there anyway to attach the file? This site only supports a certain number of characters


All good… Config attached
config.txt (38.3 KB)


This happens only with rule 1101? Other rules are matching correctly?

Does firewall statistics log show hits on rule 1101 ?

Hi 16again,

Yes, statistics show that I am hitting that rule.

Hi n.fort,

This happens with all rules I’ve tested.

After some testing it looks like it will only log the initial connection? For example if I open a browser I will get a few hits logged. If I then open another browser and search other pages these don’t get any logs. This also happens with pings. If I ping a web host I will get some logs. if I ping to another place or open a new ping these don’t get logged?

Is this expected behavour?


Of course, rule 1101 will only log the intial packet ! The rule has state=new enabled (which isn’t necessary, rules 50 and 51 only leave new packets). All subsequent packets belonging to a flow hit rule 50

Hi 16again,

Amm… ah, thanks, you can see I’m new to VyOS.
I followed this document http://soucy.org/vyos/UsingVyOSasaFirewall.pdf.

So I only need that statement for rule 50 and remove them out of all subsequent rules?

Kind Regards

Hi 16again,

I also noticed they use state new enabled under all the rules created in the following get started guide


So do I need to add it under rule 50?

Kind Regards

All traffic not matched by 50 or 51 can only be state=new
So you can omit state=new on all subsequent rules, but it’s not wrong to leave it in.

So having this statement in is this effecting my logging?
I’ll test and get back. Thanks!

In general, your firewall rules looks OK.
You may need to test if behavior is as you expected. As @16again said, you can see few hits at first in specific firewall entries, such as 1101, because then traffic matches the policy state defined in previous entries.

Hi Nicolas,

I removed the state new enabled out of all of my rules and it seems to be logging correctly and the rules are still being applied. The question is why would you use state new enabled? I tried finding info about the states and how they affect the rules without luck.

Kind Regards

Firewall rules are processed in order. So, if you see firewall examples, you may find that in most cases, policies states are defined at the very first… Why?

As you said, in your example you have removed state policies. So for every connection, firewall are going to be processed until it matches one entry. So, this will be analyze in multiple firewall entries, until, for example, matches your rule 1101.

But, with state policies defined at first, only the first connection will pass through all the firewall rules until it matches rule 1101. Then, all established and related connections will only hit the very first firewall rules.

Comparing both scenarios, CPU load in first case would be higher, since more firewall rules are evaluated every time, while in second scenario, this just happens once.

Thanks Nicolas and 16again … appreciate the help.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.