block rules not logging

beatvjiking

I'm seeing a strange issue where traffic set to be logged isn't... logging. Here's an example:

There's nothing in the firewall logs (I'm trying to find the device(s) responsible) - I tried resetting the log files, and that just left it all blank. There's no external syslog in use (there was one configured a while back but it's been disabled). The config looks good, things should just be... logged. Any ideas?

patient0

@beatvjiking you could initiate a connection attempt yourself to check that the rule works. On *nix you use nc -v 9.9.9.9 853 to test the rule to Quad9.net and ncat -v 9.9.9.9 853 on Windows.

Does the first rule log? Do you have hits in the 'State' column for the tcp/udp 853 rule (can't see, the 'traffic is not logged' is in front of it)?

The two rules look fine but it depends what rules are before them, if any of them match that traffic.

beatvjiking

@patient0 There are hits in the state column, both rules are set to log. Nothing gets logged, though. The bulk of those blocked connections are from my testing.

johnpoz

@beatvjiking so none of your rules are logging, or just these 2 rules are not?

You sure you don't have some rules blocking this traffic that are set not to log, or are allowing the traffic.. Your states values could be old counters.

edit: if you toggle the rule disabled and then enabled again it will reset the counters for that rule

beatvjiking

@johnpoz No rules are logging. I'm quite sure these counters are fresh. There's nothing prior blocking this traffic (including floating rules). The traffic is getting blocked, that's not what I'm worried about - it's just that the logs aren't getting generated.

For context, this is a Netgate 4200 with a PCIe SSD - I did a fresh install of pfSense+ onto the SSD as soon as I received the firewall in January, but after updating to 25.07 there was no firewall logging, period. There were some old logs that could be read, but after I cleared the logs in an attempt to resuscitate logging functionality they've been blank ever since. Just "no logs to display."

I actually have a number of machines I take care of (this is a home router, but I have a number of campus routers) that have failed to log firewall-blocked packets since they were updated to 25.07.1. I'm baffled as to why as none of their logging-related or firewall configurations have changed.

tinfoilmatt

@beatvjiking Show the interface of these 'problematic' rules, and your floating ruleset.

johnpoz

@beatvjiking so nothing is logging, like system or unbound, nothing - or just the firewall log? Its just blank?

beatvjiking

@johnpoz just the firewall log. Services log perfectly fine, it's just the firewall log that's blank. Here's the logging config:

@tinfoilmatt it's the LAN interface, the only other rules on it are the anti-lockout and a default allow. Like I said before, there are no floating rules.

tinfoilmatt

@beatvjiking So just to be clear—you have no floating rules whatsoever? How many interfaces total?

You could also try checking the Default firewall "block" rules to confirm whether or not the blocked traffic is 'hitting' there.

beatvjiking

@tinfoilmatt this machine just has WAN and LAN. It's a very basic home router setup. There are no floating rules whatsoever. I did have some before, and those didn't generate any logs either.

To be very clear, this is not an issue of the firewall rules behaving unexpectedly. Traffic is blocked or allowed exactly as expected. It's just not logging the things I tell it to log. I hit a block rule, the packet doesn't pass, the counter goes up, but nothing goes in the log. That's all.

johnpoz

Yeah turning on default log should show us that stuff is being logged, since your wan for sure would see bunch of noise that should be blocked by the default deny.

Are you running IDS that could be blocking..

I do not log default deny, but I have many specific rules for logging, and they are all logging just fine.

Might also want to look at the actual rule - does it show logging set? What does the rule say when you, is log set in the rule?

cat /tmp/rules.debug

tinfoilmatt

@beatvjiking said in block rules not logging:

It's just not logging the things I tell it to log.

This is not a thing. So you're asking for assistance with your own misconfiguration. Take any suggestions offered for what they're worth in that regard.

beatvjiking

@johnpoz No IDS. I don't normally log default deny either, having turned it on for testing it's also not logging anything. /tmp/rules.debug: rules.debug.txt

beatvjiking

@johnpoz I also have many rules for logging on a lot of machines, and a lot stopped with 25.07 or 25.07.1. This machine is just the one with the simplest configuration so I figured I'd start here looking for the problem, but couldn't find anything, hence posting here. /var/log/filter.log is blank, but I don't know for sure if that's actually where pfSense pulls the data from when it comes to firewall logs.

johnpoz

@beatvjiking If default deny logging isn't working.. Something wrong with log file.. You said you reset them?

Are you doing something with ram drives?

Do you see log entries in the specific file, you should have a /var/log/filter.log

If you do a cat of that file you should see all kinds of stuff in there

tinfoilmatt

@beatvjiking said in block rules not logging:

/var/log/filter.log is blank, but I don't know for sure if that's actually where pfSense pulls the data from

It is. That's what the GUI displays.

ls -alh /var/log output would be helpful.

beatvjiking

I reset the firewall log a while back to see if maybe there was something wrong with the file causing it not to parse or something like that, but after resetting it never repopulated. The file size is 0. No RAM drives in play.

/var/log contents:

total 2.0 MB
drwxr-xr-x   5 root wheel   57B Dec 24 08:08 .
drwxr-xr-x  28 root wheel   28B Feb 25  2025 ..
-rw-r--r--   1 root wheel  9.9K Dec 18 22:53 apcupsd.events
-rw-------   1 root wheel   28K Dec 24 09:11 auth.log
-rw-------   1 root wheel  197K Dec 24 09:14 dhcpd.log
-rw-------   1 root wheel  499K Dec  1 18:12 dhcpd.log.0
-rw-------   1 root wheel  499K Oct  5 09:08 dhcpd.log.1
-rw-------   1 root wheel  499K Aug  6 16:46 dhcpd.log.2
-rw-------   1 root wheel  499K Jun  8  2025 dhcpd.log.3
-rw-------   1 root wheel  499K Apr 10  2025 dhcpd.log.4
-rw-r--r--   1 root wheel   12K Dec 12 20:13 dmesg.boot
-rw-------   1 root wheel    0B Dec 12 20:13 filter.log
-rw-------   1 root wheel  9.3K Dec 12 20:14 gateways.log
-rw-------   1 root wheel  343K Dec 24 10:02 ipsec.log
-rw-------   1 root wheel  502K Dec 24 08:08 ipsec.log.0
-rw-------   1 root wheel  500K Dec 24 05:29 ipsec.log.1
-rw-------   1 root wheel  501K Dec 24 02:45 ipsec.log.2
-rw-------   1 root wheel  502K Dec 23 23:59 ipsec.log.3
-rw-------   1 root wheel  501K Dec 23 21:17 ipsec.log.4
-rw-------   1 root wheel  501K Dec 23 18:52 ipsec.log.5
-rw-------   1 root wheel  500K Dec 23 17:13 ipsec.log.6
-rw-------   1 root wheel    0B Dec 12 20:13 l2tps.log
-rw-r--r--   1 root wheel    0B Feb 10  2025 lastlog
drwxr-xr-x   2 root wheel    3B Feb 10  2025 nginx
-rw-------   1 root wheel   88K Dec 24 09:31 nginx.log
-rw-------   1 root wheel  502K Dec 20 16:47 nginx.log.0
-rw-------   1 root wheel  510K Dec 11 23:39 nginx.log.1
-rw-------   1 root wheel  513K Dec 11 23:17 nginx.log.2
-rw-------   1 root wheel  512K Dec 11 22:55 nginx.log.3
-rw-------   1 root wheel  508K Dec 11 22:33 nginx.log.4
-rw-------   1 root wheel  520K Dec 11 22:11 nginx.log.5
-rw-------   1 root wheel  522K Dec  8 17:49 nginx.log.6
drwxr-xr-x   2 root wheel    2B Feb 10  2025 ntp
-rw-------   1 root wheel   49K Dec 24 00:22 ntpd.log
-rw-------   1 root wheel    0B Dec 12 20:13 openvpn.log
-rw-------   1 root wheel    0B Dec 12 20:13 pfnet-controller.log
-rw-------   1 root wheel    0B Dec 12 20:13 poes.log
-rw-------   1 root wheel    0B Dec 12 20:13 portalauth.log
-rw-------   1 root wheel    0B Dec 12 20:13 ppp.log
-rw-------   1 root wheel  236K Dec 24 09:21 resolver.log
-rw-------   1 root wheel  505K Feb 27  2025 resolver.log.0
-rw-------   1 root wheel    0B Dec 12 20:13 routing.log
drwx------   3 root wheel    4B Aug 14 23:34 suricata
-rw-------   1 root wheel  319K Dec 24 09:31 system.log
-rw-------   1 root wheel  500K Oct 31 01:02 system.log.0
-rw-------   1 root wheel  519K Aug  4 23:46 system.log.1
-rw-------   1 root wheel  499K May 28  2025 system.log.2
-rw-------   1 root wheel  500K Mar 16  2025 system.log.3
-rw-------   1 root wheel  499K Feb 27  2025 system.log.4
-rw-------   1 root wheel  499K Feb 24  2025 system.log.5
-rw-------   1 root wheel  499K Feb 21  2025 system.log.6
-rw-------   1 root wheel   22K Dec 12 20:14 userlog
-rw-r--r--   1 root wheel  197B Dec 24 09:11 utx.lastlogin
-rw-------   1 root wheel  1.2K Dec 24 09:11 utx.log
-rw-------   1 root wheel    0B Dec 12 20:13 vpn.log
-rw-------   1 root wheel    0B Dec 12 20:13 watchdogd.log
-rw-------   1 root wheel    0B Dec 12 20:13 wireless.log

SteveITS

@beatvjiking have you tried rebooting?

beatvjiking

@SteveITS Yes, this has persisted across reboots, and releases now.

Looking across the affected machines, I'm seeing that none of them have logged anything in their firewall logs since mid-September, and that corresponded to deploying the latest Netgate-supplied System Patches package and applying the recommended patches within. At this point all the machines have been updated to 25.11 so I'm not sure exactly what version that was or what patches it contained at the time. The machines are also now running the Patches package 2.2.26 with all recommended patches installed (and absolutely no non-Netgate patches, I deploy these only for the official bugfixes/security fixes from Netgate).

SteveITS

@beatvjiking so this is happening on multiple routers?

I would try deleting that filter.log file. Then maybe a filter reload.