block rules not logging

johnpoz

Yeah turning on default log should show us that stuff is being logged, since your wan for sure would see bunch of noise that should be blocked by the default deny.

Are you running IDS that could be blocking..

I do not log default deny, but I have many specific rules for logging, and they are all logging just fine.

Might also want to look at the actual rule - does it show logging set? What does the rule say when you, is log set in the rule?

cat /tmp/rules.debug

tinfoilmatt

@beatvjiking said in block rules not logging:

It's just not logging the things I tell it to log.

This is not a thing. So you're asking for assistance with your own misconfiguration. Take any suggestions offered for what they're worth in that regard.

beatvjiking

@johnpoz No IDS. I don't normally log default deny either, having turned it on for testing it's also not logging anything. /tmp/rules.debug: rules.debug.txt

beatvjiking

@johnpoz I also have many rules for logging on a lot of machines, and a lot stopped with 25.07 or 25.07.1. This machine is just the one with the simplest configuration so I figured I'd start here looking for the problem, but couldn't find anything, hence posting here. /var/log/filter.log is blank, but I don't know for sure if that's actually where pfSense pulls the data from when it comes to firewall logs.

johnpoz

@beatvjiking If default deny logging isn't working.. Something wrong with log file.. You said you reset them?

Are you doing something with ram drives?

Do you see log entries in the specific file, you should have a /var/log/filter.log

If you do a cat of that file you should see all kinds of stuff in there

tinfoilmatt

@beatvjiking said in block rules not logging:

/var/log/filter.log is blank, but I don't know for sure if that's actually where pfSense pulls the data from

It is. That's what the GUI displays.

ls -alh /var/log output would be helpful.

beatvjiking

I reset the firewall log a while back to see if maybe there was something wrong with the file causing it not to parse or something like that, but after resetting it never repopulated. The file size is 0. No RAM drives in play.

/var/log contents:

total 2.0 MB
drwxr-xr-x   5 root wheel   57B Dec 24 08:08 .
drwxr-xr-x  28 root wheel   28B Feb 25  2025 ..
-rw-r--r--   1 root wheel  9.9K Dec 18 22:53 apcupsd.events
-rw-------   1 root wheel   28K Dec 24 09:11 auth.log
-rw-------   1 root wheel  197K Dec 24 09:14 dhcpd.log
-rw-------   1 root wheel  499K Dec  1 18:12 dhcpd.log.0
-rw-------   1 root wheel  499K Oct  5 09:08 dhcpd.log.1
-rw-------   1 root wheel  499K Aug  6 16:46 dhcpd.log.2
-rw-------   1 root wheel  499K Jun  8  2025 dhcpd.log.3
-rw-------   1 root wheel  499K Apr 10  2025 dhcpd.log.4
-rw-r--r--   1 root wheel   12K Dec 12 20:13 dmesg.boot
-rw-------   1 root wheel    0B Dec 12 20:13 filter.log
-rw-------   1 root wheel  9.3K Dec 12 20:14 gateways.log
-rw-------   1 root wheel  343K Dec 24 10:02 ipsec.log
-rw-------   1 root wheel  502K Dec 24 08:08 ipsec.log.0
-rw-------   1 root wheel  500K Dec 24 05:29 ipsec.log.1
-rw-------   1 root wheel  501K Dec 24 02:45 ipsec.log.2
-rw-------   1 root wheel  502K Dec 23 23:59 ipsec.log.3
-rw-------   1 root wheel  501K Dec 23 21:17 ipsec.log.4
-rw-------   1 root wheel  501K Dec 23 18:52 ipsec.log.5
-rw-------   1 root wheel  500K Dec 23 17:13 ipsec.log.6
-rw-------   1 root wheel    0B Dec 12 20:13 l2tps.log
-rw-r--r--   1 root wheel    0B Feb 10  2025 lastlog
drwxr-xr-x   2 root wheel    3B Feb 10  2025 nginx
-rw-------   1 root wheel   88K Dec 24 09:31 nginx.log
-rw-------   1 root wheel  502K Dec 20 16:47 nginx.log.0
-rw-------   1 root wheel  510K Dec 11 23:39 nginx.log.1
-rw-------   1 root wheel  513K Dec 11 23:17 nginx.log.2
-rw-------   1 root wheel  512K Dec 11 22:55 nginx.log.3
-rw-------   1 root wheel  508K Dec 11 22:33 nginx.log.4
-rw-------   1 root wheel  520K Dec 11 22:11 nginx.log.5
-rw-------   1 root wheel  522K Dec  8 17:49 nginx.log.6
drwxr-xr-x   2 root wheel    2B Feb 10  2025 ntp
-rw-------   1 root wheel   49K Dec 24 00:22 ntpd.log
-rw-------   1 root wheel    0B Dec 12 20:13 openvpn.log
-rw-------   1 root wheel    0B Dec 12 20:13 pfnet-controller.log
-rw-------   1 root wheel    0B Dec 12 20:13 poes.log
-rw-------   1 root wheel    0B Dec 12 20:13 portalauth.log
-rw-------   1 root wheel    0B Dec 12 20:13 ppp.log
-rw-------   1 root wheel  236K Dec 24 09:21 resolver.log
-rw-------   1 root wheel  505K Feb 27  2025 resolver.log.0
-rw-------   1 root wheel    0B Dec 12 20:13 routing.log
drwx------   3 root wheel    4B Aug 14 23:34 suricata
-rw-------   1 root wheel  319K Dec 24 09:31 system.log
-rw-------   1 root wheel  500K Oct 31 01:02 system.log.0
-rw-------   1 root wheel  519K Aug  4 23:46 system.log.1
-rw-------   1 root wheel  499K May 28  2025 system.log.2
-rw-------   1 root wheel  500K Mar 16  2025 system.log.3
-rw-------   1 root wheel  499K Feb 27  2025 system.log.4
-rw-------   1 root wheel  499K Feb 24  2025 system.log.5
-rw-------   1 root wheel  499K Feb 21  2025 system.log.6
-rw-------   1 root wheel   22K Dec 12 20:14 userlog
-rw-r--r--   1 root wheel  197B Dec 24 09:11 utx.lastlogin
-rw-------   1 root wheel  1.2K Dec 24 09:11 utx.log
-rw-------   1 root wheel    0B Dec 12 20:13 vpn.log
-rw-------   1 root wheel    0B Dec 12 20:13 watchdogd.log
-rw-------   1 root wheel    0B Dec 12 20:13 wireless.log

SteveITS

@beatvjiking have you tried rebooting?

beatvjiking

@SteveITS Yes, this has persisted across reboots, and releases now.

Looking across the affected machines, I'm seeing that none of them have logged anything in their firewall logs since mid-September, and that corresponded to deploying the latest Netgate-supplied System Patches package and applying the recommended patches within. At this point all the machines have been updated to 25.11 so I'm not sure exactly what version that was or what patches it contained at the time. The machines are also now running the Patches package 2.2.26 with all recommended patches installed (and absolutely no non-Netgate patches, I deploy these only for the official bugfixes/security fixes from Netgate).

SteveITS

@beatvjiking so this is happening on multiple routers?

I would try deleting that filter.log file. Then maybe a filter reload.

beatvjiking

@SteveITS yes, it's happening on multiple routers, but I decided to try to work on this one since it appears to be a shared issue and this one is my home device, so I can mess with it and not cause problems for my clients.

I deleted the filter.log file and reloaded filter, and the file hasn't been re-created.

tinfoilmatt

@beatvjiking Try the red "Reset Log Files" button at Status / System Logs / Settings.

Failing that, post a screencap of your "Log Rotation Options". Maybe that whole settings page actually.

beatvjiking

@tinfoilmatt Resetting the logs re-created the file. Interestingly the permissions are different from what they were before - :

old: -rw-------   1 root wheel    0B Dec 12 20:13 filter.log
new: -rw-r--r--   1 root wheel    0B Dec 24 10:54 filter.log

It's still not populating with any logs.

Screenshot (again, logging default deny is just for testing here):

tinfoilmatt

@beatvjiking Check the "Default firewall "pass" rules" checkbox just to see if you can get anything to log.

You're squarely in sketchy territory.

beatvjiking

@tinfoilmatt box checked, nothing whatsoever after pushing traffic through. File size still 0.

I also tried removing the state limiter from the default allow (in case that had something to do with it) and still nothing.

tinfoilmatt

@beatvjiking There were only a couple Logging items included with the 25.07 release notes, and I don't see either of them having anything to do with anything.

You said you're experiencing this on multiple 4200's you manage? SSD upgrade on those too?

What do you mean by you tried "removing the state limiter"? I don't follow that.

beatvjiking

@tinfoilmatt the other machines are running pfSense+ 25.11 but running on a variety of hardware. There are some roll-your-own machines, some 8200s, 7100s, 1537s, etc. The other Netgate hardware isn't altered from factory.

By "removing the state limiter" I meant removing the advanced rule option to limit states per device on the default allow. I normally add it to prevent resource exhaustion at the firewall, but wondered if adding it interfered with logging, so I removed it. It didn't change anything.

tinfoilmatt

@beatvjiking I'm perplexed—further confounded only by you seeing this on multiple systems.

No syslog-ng install or otherwsie any log shipping or anything?

Big system disk. No exotic partitioning? Exotic ZFS config?

You already confirmed no RAM disk.

Ruleset looks fine (if not exceedingly straightfoward).

Are you doing anything particular with NAT?

SteveITS

it’s extreme but maybe set one to defaults temporarily and check. If it works compare config files. If not then it seems something on the router(s)…reinstall?

beatvjiking

@tinfoilmatt no syslog-ng, no sending logs anywhere else. No exotic partitioning, just the default installer ZFS setup. Nothing weird with NAT. Some of the other affected machines are in failover pairs and NAT through their virtual CARP-managed IP, but there's nothing of that sort going on here.