Missing firewal logs

PTI · June 20, 2022, 6:23am

Running version: VyOS 1.4-rolling-202206130217

I’ve got a fairly basic setup running for testing purposes and trying to display firewall log lines for dropped traffic. The LOCAL-WAN ruleset has default action drop and enable-default-log settings configured. I can see traffic being dropped by: show firewall name LOCAL-WAN

Ruleset Information

---------------------------------
IPv4 Firewall "LOCAL-WAN"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------------
10       accept    all               371    75720  ct state { established, related }
11       drop      all                 0        0  ct state { invalid }  prefix "[LOCAL-WAN-11-D]"
20       accept    icmp                0        0  meta l4proto icmp  prefix "[LOCAL-WAN-20-A]"
default  drop      all             35684  2004232

But cannot see the associated logging in show log firewall name LOCAL-WAN or monitor firewall name LOCAL-WAN. Also tailing the /var/log/messages do not show any firewall related messages…

I’ve got a show configure commands | strip-private file ready for upload, however I could not upload it right now because my account is just created.

Any pointers?

n.fort · June 20, 2022, 12:07pm

Can you just share firewall your firewall “LOCAL-WAN” configuration?

PTI · June 20, 2022, 12:11pm

vyos_commands.txt (8.7 KB)

Apparently I now can upload the file; hereby the full config

n.fort · June 21, 2022, 2:21pm

Plese share output of: sudo nft list chain ip filter NAME_LOCAL-WAN

PTI · June 21, 2022, 3:31pm

table ip filter {
        chain NAME_LOCAL-WAN {
                ct state { established, related } counter packets 1585 bytes 201535 return comment "LOCAL-WAN-10"
                ct state { invalid } log prefix "[LOCAL-WAN-11-D]" counter packets 0 bytes 0 drop comment "LOCAL-WAN-11"
                meta l4proto icmp log prefix "[LOCAL-WAN-20-A]" counter packets 0 bytes 0 return comment "LOCAL-WAN-20"
                meta l4proto { tcp, udp } th dport { 53 } ip daddr { 10.101.0.61-10.101.0.62 } counter packets 14 bytes 939 return comment "LOCAL-WAN-30"
                udp dport { 123 } counter packets 11 bytes 836 return comment "LOCAL-WAN-40"
                ip daddr 10.101.11.1 tcp dport { 80 } counter packets 0 bytes 0 return comment "LOCAL-WAN-50"
                counter packets 0 bytes 0 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
        }
}

Bear in mind that I’ve still been working on the previously shared config, so you might see differences between this output in relation to the config. The problem however still exists.

n.fort · June 21, 2022, 3:42pm

According to your oputput, there are no hits on default action. You can see counter at 0, so you won’t find any log related to that rule

counter packets 0 bytes 0 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"

PTI · June 21, 2022, 5:32pm

My bad; LOCAL-WAN had indeed no dropped packets on the default drop when I ran that command, attached the outputs again

IPv4 Firewall "LOCAL-WAN"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------
10       accept    all              1998   282509  ct state { established, related }
11       drop      all                 0        0  ct state { invalid }  prefix "[LOCAL-WAN-11-D]"
20       accept    icmp                0        0  meta l4proto icmp  prefix "[LOCAL-WAN-20-A]"
30       accept    tcp_udp            37     2537  meta l4proto { tcp, udp } th dport { 53 } ip daddr { 10.101.0.61-10.101.0.62 }
40       accept    udp                54     4104  udp dport { 123 }
50       accept    tcp                 1       60  ip daddr 10.101.11.1 tcp dport { 80 }
default  drop      all                 3      180

And the output of sudo nft list chain ip filter NAME_LOCAL-WAN

table ip filter {
        chain NAME_LOCAL-WAN {
                ct state { established, related } counter packets 2029 bytes 286761 return comment "LOCAL-WAN-10"
                ct state { invalid } log prefix "[LOCAL-WAN-11-D]" counter packets 0 bytes 0 drop comment "LOCAL-WAN-11"
                meta l4proto icmp log prefix "[LOCAL-WAN-20-A]" counter packets 0 bytes 0 return comment "LOCAL-WAN-20"
                meta l4proto { tcp, udp } th dport { 53 } ip daddr { 10.101.0.61-10.101.0.62 } counter packets 37 bytes 2537 return comment "LOCAL-WAN-30"
                udp dport { 123 } counter packets 54 bytes 4104 return comment "LOCAL-WAN-40"
                ip daddr 10.101.11.1 tcp dport { 80 } counter packets 1 bytes 60 return comment "LOCAL-WAN-50"
                counter packets 3 bytes 180 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
        }
}

n.fort · June 21, 2022, 5:58pm

And still not able to see logs?
Here’s an example:

vyos@vyos:~$ sudo nft list chain ip filter NAME_LOCAL-WAN
table ip filter {
        chain NAME_LOCAL-WAN {
                counter packets 5 bytes 420 log prefix "[LOCAL-WAN-default-D]" drop comment "LOCAL-WAN default-action drop"
        }
}
vyos@vyos:~$ show log firewall name LOCAL-WAN 
Jun 21 17:55:16 vyos kernel: [  107.478245] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1540 PROTO=ICMP TYPE=8 CODE=0 ID=1030 SEQ=1 
Jun 21 17:55:18 vyos kernel: [  109.478781] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1541 PROTO=ICMP TYPE=8 CODE=0 ID=1542 SEQ=2 
Jun 21 17:55:20 vyos kernel: [  111.479513] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1542 PROTO=ICMP TYPE=8 CODE=0 ID=2054 SEQ=3 
Jun 21 17:55:22 vyos kernel: [  113.480506] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1543 PROTO=ICMP TYPE=8 CODE=0 ID=2566 SEQ=4 
Jun 21 17:55:24 vyos kernel: [  115.481185] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1544 PROTO=ICMP TYPE=8 CODE=0 ID=3078 SEQ=5 
vyos@vyos:~$ cat /var/log/messages | grep "LOCAL-WAN-default"
Jun 21 17:55:16 vyos kernel: [  107.478245] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1540 PROTO=ICMP TYPE=8 CODE=0 ID=1030 SEQ=1 
Jun 21 17:55:18 vyos kernel: [  109.478781] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1541 PROTO=ICMP TYPE=8 CODE=0 ID=1542 SEQ=2 
Jun 21 17:55:20 vyos kernel: [  111.479513] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1542 PROTO=ICMP TYPE=8 CODE=0 ID=2054 SEQ=3 
Jun 21 17:55:22 vyos kernel: [  113.480506] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1543 PROTO=ICMP TYPE=8 CODE=0 ID=2566 SEQ=4 
Jun 21 17:55:24 vyos kernel: [  115.481185] [LOCAL-WAN-default-D]IN=eth1 OUT= MAC=50:00:00:01:00:01:00:50:79:66:68:04:08:00 SRC=10.10.10.10 DST=10.10.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1544 PROTO=ICMP TYPE=8 CODE=0 ID=3078 SEQ=5

If not there, maybe something wrong with that rolling release version

PTI · June 21, 2022, 6:00pm

No still no visible logs; I will try and update to another version, see if that will fix the issue.

PTI · June 21, 2022, 6:08pm

upgrading to VyOS 1.4-rolling-202206200217 seems to fix the issue

system · June 23, 2022, 6:09pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.