Missing firewal logs

Bugs
,
#1

Running version: VyOS 1.4-rolling-202206130217

I’ve got a fairly basic setup running for testing purposes and trying to display firewall log lines for dropped traffic. The LOCAL-WAN ruleset has default action drop and enable-default-log settings configured. I can see traffic being dropped by: show firewall name LOCAL-WAN

Ruleset Information

---------------------------------
IPv4 Firewall "LOCAL-WAN"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------------
10       accept    all               371    75720  ct state { established, related }
11       drop      all                 0        0  ct state { invalid }  prefix "[LOCAL-WAN-11-D]"
20       accept    icmp                0        0  meta l4proto icmp  prefix "[LOCAL-WAN-20-A]"
default  drop      all             35684  2004232

But cannot see the associated logging in show log firewall name LOCAL-WAN or monitor firewall name LOCAL-WAN. Also tailing the /var/log/messages do not show any firewall related messages…

I’ve got a show configure commands | strip-private file ready for upload, however I could not upload it right now because my account is just created. :wink:

Any pointers?

Still missing / loosing firewall log capability
#2

Can you just share firewall your firewall “LOCAL-WAN” configuration?

#3

vyos_commands.txt (8.7 KB)

Apparently I now can upload the file; hereby the full config

#4

Plese share output of: sudo nft list chain ip filter NAME_LOCAL-WAN

#5 
table ip filter {
        chain NAME_LOCAL-WAN {
                ct state { established, related } counter packets 1585 bytes 201535 return comment "LOCAL-WAN-10"
                ct state { invalid } log prefix "[LOCAL-WAN-11-D]" counter packets 0 bytes 0 drop comment "LOCAL-WAN-11"
                meta l4proto icmp log prefix "[LOCAL-WAN-20-A]" counter packets 0 bytes 0 return comment "LOCAL-WAN-20"
                meta l4proto { tcp, udp } th dport { 53 } ip daddr { 10.101.0.61-10.101.0.62 } counter packets 14 bytes 939 return comment "LOCAL-WAN-30"
                udp dport { 123 } counter packets 11 bytes 836 return comment "LOCAL-WAN-40"
                ip daddr 10.101.11.1 tcp dport { 80 } counter packets 0 bytes 0 return comment "LOCAL-WAN-50"
                counter packets 0 bytes 0 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
        }
}

Bear in mind that I’ve still been working on the previously shared config, so you might see differences between this output in relation to the config. The problem however still exists.

#6

According to your oputput, there are no hits on default action. You can see counter at 0, so you won’t find any log related to that rule

counter packets 0 bytes 0 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
#7

My bad; LOCAL-WAN had indeed no dropped packets on the default drop when I ran that command, attached the outputs again

IPv4 Firewall "LOCAL-WAN"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------
10       accept    all              1998   282509  ct state { established, related }
11       drop      all                 0        0  ct state { invalid }  prefix "[LOCAL-WAN-11-D]"
20       accept    icmp                0        0  meta l4proto icmp  prefix "[LOCAL-WAN-20-A]"
30       accept    tcp_udp            37     2537  meta l4proto { tcp, udp } th dport { 53 } ip daddr { 10.101.0.61-10.101.0.62 }
40       accept    udp                54     4104  udp dport { 123 }
50       accept    tcp                 1       60  ip daddr 10.101.11.1 tcp dport { 80 }
default  drop      all                 3      180

And the output of sudo nft list chain ip filter NAME_LOCAL-WAN

table ip filter {
        chain NAME_LOCAL-WAN {
                ct state { established, related } counter packets 2029 bytes 286761 return comment "LOCAL-WAN-10"
                ct state { invalid } log prefix "[LOCAL-WAN-11-D]" counter packets 0 bytes 0 drop comment "LOCAL-WAN-11"
                meta l4proto icmp log prefix "[LOCAL-WAN-20-A]" counter packets 0 bytes 0 return comment "LOCAL-WAN-20"
                meta l4proto { tcp, udp } th dport { 53 } ip daddr { 10.101.0.61-10.101.0.62 } counter packets 37 bytes 2537 return comment "LOCAL-WAN-30"
                udp dport { 123 } counter packets 54 bytes 4104 return comment "LOCAL-WAN-40"
                ip daddr 10.101.11.1 tcp dport { 80 } counter packets 1 bytes 60 return comment "LOCAL-WAN-50"
                counter packets 3 bytes 180 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
        }
}
#8

And still not able to see logs?
Here’s an example:

vyos@vyos:~$ sudo nft list chain ip filter NAME_LOCAL-WAN
table ip filter {
        chain NAME_LOCAL-WAN {
                counter packets 5 bytes 420 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
        }
}
vyos@vyos:~$ show log firewall name LOCAL-WAN 
Jun 21 17:55:16 vyos kernel: [  107.478245] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1540 PROTO=ICMP TYPE=8 CODE=0 ID=1030 SEQ=1 
Jun 21 17:55:18 vyos kernel: [  109.478781] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1541 PROTO=ICMP TYPE=8 CODE=0 ID=1542 SEQ=2 
Jun 21 17:55:20 vyos kernel: [  111.479513] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1542 PROTO=ICMP TYPE=8 CODE=0 ID=2054 SEQ=3 
Jun 21 17:55:22 vyos kernel: [  113.480506] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1543 PROTO=ICMP TYPE=8 CODE=0 ID=2566 SEQ=4 
Jun 21 17:55:24 vyos kernel: [  115.481185] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1544 PROTO=ICMP TYPE=8 CODE=0 ID=3078 SEQ=5 
vyos@vyos:~$ cat /var/log/messages | grep "LOCAL-WAN-default"
Jun 21 17:55:16 vyos kernel: [  107.478245] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1540 PROTO=ICMP TYPE=8 CODE=0 ID=1030 SEQ=1 
Jun 21 17:55:18 vyos kernel: [  109.478781] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1541 PROTO=ICMP TYPE=8 CODE=0 ID=1542 SEQ=2 
Jun 21 17:55:20 vyos kernel: [  111.479513] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1542 PROTO=ICMP TYPE=8 CODE=0 ID=2054 SEQ=3 
Jun 21 17:55:22 vyos kernel: [  113.480506] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1543 PROTO=ICMP TYPE=8 CODE=0 ID=2566 SEQ=4 
Jun 21 17:55:24 vyos kernel: [  115.481185] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1544 PROTO=ICMP TYPE=8 CODE=0 ID=3078 SEQ=5

If not there, maybe something wrong with that rolling release version

#9

No still no visible logs; I will try and update to another version, see if that will fix the issue.

#10

upgrading to VyOS 1.4-rolling-202206200217 seems to fix the issue

#11

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.