Menu
What's new
By:
Filters Better Search

pfSense users, what exactly do you log?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BeachBum

BeachBum

Regular Contributor
I would like to know what do you seasoned pfSense users set to log in your firewall logs?

Do you log everything? Have only some things set to log? Enable/Disable Default Rule Logging? Whats most important to you? What log event types are "spam"? How many entries do you view in the GUI? Do you send your logs to a remote log viewer? Which one? Do you view them as raw?

I have all the default blocks logging, 94% of which is pass (out) events according to the summary.
 
BeachBum said:
I would like to know what do you seasoned pfSense users set to log in your firewall logs?

Do you log everything? Have only some things set to log? Enable/Disable Default Rule Logging? Whats most important to you? What log event types are "spam"? How many entries do you view in the GUI? Do you send your logs to a remote log viewer? Which one? Do you view them as raw?

I have all the default blocks logging, 94% of which is pass (out) events according to the summary.
Click to expand...
I've been using pfSense for approximately 6 months.

1. No logs for CaptivePortAuth, IPsec, PPP, VPN, Load Balancer. No Wireless log because Ubiquit AP hasn't been installed.
2. Everything else is logged.
3. General and OpenVPN.
4. DK
5. 50 (default)
6. No.
7. DK
 
BeachBum said:
I would like to know what do you seasoned pfSense users set to log in your firewall logs?

Do you log everything? Have only some things set to log? Enable/Disable Default Rule Logging? Whats most important to you? What log event types are "spam"? How many entries do you view in the GUI? Do you send your logs to a remote log viewer? Which one? Do you view them as raw?

I have all the default blocks logging, 94% of which is pass (out) events according to the summary.
Click to expand...

Not logging anything on the firewall other than the default basic stats that one can find under https://<routername>/diag_logs_filter_dynamic.php - if it gets exported out to syslog, that's fine - Exporting SNMP and Syslog to a remote server instance inside my firewall for post data analysis...
 
Generally, you want to remove noise so that a problem will be obvious rather than drowned out.

My firewall setup is a bit different because I use a whitelist rather than a blacklist; I block all LAN to WAN connections unless explicitly allowed. None of this blocked traffic is logged, except when trouble-shooting. I have an alias list of especially noisy ports that I never want logged.

I log all block WAN to pfSense blocks, but mostly just as a curiosity since all ports are closed so ... nothing should be getting in.

Now that I think about it, I should probably hide all external attempts and log only blocked internal...
 
I guess the next question is what is considered 'noise'? I have all the boxes checked in the status log settings page and there are a ton of firewall entries flying by. I wouldn't see an obvious problem at all.
 
BeachBum said:
I guess the next question is what is considered 'noise'? I have all the boxes checked in the status log settings page and there are a ton of firewall entries flying by. I wouldn't see an obvious problem at all.
Click to expand...

What is your most likely threat vector or concern?

Internal Windows clients with unsecured UPnP & NetBios opening external ports? Then monitor outgoing traffic on those ports.

Or are you running externally accessible services? Then monitor those specific incoming ports.


If you have lots of allowed IN/OUT traffic, an IDS might be a good idea because they have powerful pattern recognition, even with encrypted data.
 
Nullity said:
Generally, you want to remove noise so that a problem will be obvious rather than drowned out.

I log all block WAN to pfSense blocks, but mostly just as a curiosity since all ports are closed so ... nothing should be getting in.

Now that I think about it, I should probably hide all external attempts and log only blocked internal...
Click to expand...

remember that logging tasks do affect CPU - doesn't put more "load" on it, but it does extract a cost for interrupt processing - it's a fine line to balance useful info vs. just logging everything ;)
 
sfx2000 said:
remember that logging tasks do affect CPU - doesn't put more "load" on it, but it does extract a cost for interrupt processing - it's a fine line to balance useful info vs. just logging everything ;)
Click to expand...

You can always buy more powerful hardware, but you cannot look at non-existant logs... ;)
 
Thanks for your comments all.

I am not currently running any externally accessible services. I think the biggest threat vectors are this:
  1. Computer illiterate In-Laws who click on every attachment no matter who its from. Install every/anything from the asian soap opera websites so they can watch their shows. I've already wiped laptops twice due to malware. I have just gotten them to accept running in non-admin mode.
  2. Free flowing traffic. I have the default pfsense firewall setup so it blocks everything unsolicited. BUT if I were to lock everything down so only certain things were allowed out there would be a whirlwind of dragon fury directed my way if things were made difficult for them too quickly. Yes I know, tradeoffs etc. I've just now gotten them to accept having to ask me for admin password to install anything :) Baby steps...
I think my best bet and my main reason for implementing pfSense is the IDS/IPS/Virus/Malware/etc scanning at the firewall system. But now that 2.3 is out not all that is working. I was on a consumer ASUS with the TrendMicro IDS/Virus scanning but it was way underpowered (need VPN performance for work) and I don't like the fact that all my traffic was being inspected by a third party.

As for the log noise, I think I can safely turn off the default logging of Bogon & Private Networks, no?
 
BeachBum said:
I think my best bet and my main reason for implementing pfSense is the IDS/IPS/Virus/Malware/etc scanning at the firewall system. But now that 2.3 is out not all that is working. I was on a consumer ASUS with the TrendMicro IDS/Virus scanning but it was way underpowered (need VPN performance for work) and I don't like the fact that all my traffic was being inspected by a third party.
Click to expand...

Well, there's quite a few packages available - some more complicated than others - check out Suricata, but I'm not certain if they've updated the package for Release 2.3 yet... and of course there is always Snort, and you have multiple AV options as well..
 
Well, there's quite a few packages available - some more complicated than others - check out Suricata, but I'm not certain if they've updated the package for Release 2.3 yet... and of course there is always Snort, and you have multiple AV options as well..
Click to expand...

Yep Snort is next on the list :) Which AV package would you recommend?
 
Back to the logs, can safely turn off the default logging of Bogon & Private Networks?
 
BeachBum said:
Yep Snort is next on the list :) Which AV package would you recommend?
Click to expand...

They're all pretty good - just be careful not to run multiples, and in conjunction with Snort, you can get yourself pretty broken pretty quick - before jumping into that pool, make sure you backup your configurations in case you need to revert it back out.
 
Was looking at the "Removed Packages" list on the pfSense site, and regarding HAVP it says "...HAVP project is no longer maintained. Antivirus support is now built into the Squid package....."

So looks like I'll just need to get only Snort & Squid going for a IPS/AV system...
 
BeachBum said:
Was looking at the "Removed Packages" list on the pfSense site, and regarding HAVP it says "...HAVP project is no longer maintained. Antivirus support is now built into the Squid package....."

So looks like I'll just need to get only Snort & Squid going for a IPS/AV system...
Click to expand...

One doesn't need to be on the tip of the source code tree, can always take a step back until the tip goes release - 2.3, even though "release" is pretty bold and very close to the tip at the moment...

OpnSense went through similar troubles when they decided to refactor, and introduced many regressions and new bugs...
 
sfx2000 said:
They're all pretty good - just be careful not to run multiples, and in conjunction with Snort, you can get yourself pretty broken pretty quick - before jumping into that pool, make sure you backup your configurations in case you need to revert it back out.
Click to expand...

If you run snort don't run it in automatic blocking mode to start. You want to study the logs for a while and adjust to your traffic. Otherwise you will be chasing your tail with false positives.
 
coxhaus said:
If you run snort don't run it in automatic blocking mode to start. You want to study the logs for a while and adjust to your traffic. Otherwise you will be chasing your tail with false positives.
Click to expand...

Yes this one is going to be a bear to learn I can see...
 
Well if anyone is interested on an update:
I've had Snort/Squid/SquidGuard running for while now and have it pretty dialed in. For Snort I'm using the paid VRT Rules in Connectivity mode. I also have a couple of the individual rule sets activated as well. Overtime I've suppressed the false positives and its running pretty well. Its neat to see where the blocks are coming from, China, Korea, Russia, etc. One hiccup I'm having is that when my wife connects her VPN to her work. A computer on her companies network tries to port scan my network and Snort blocks it which results in her not being able to use her VPN. I'm debating wether to suppress that or not as I don't feel they should be port scanning my network.

Squid is active and I mainly use it for the HTTP inspection and AV Scanning. I don't care much about the cache part of it. I've had several legitimate virus blocks resulting from malicious flash advertisements on flash game sites my son visits. Kind of neat to see it actually work like its supposed to. Next step is to set up HTTPS inspection for AV scanning in HTTPS traffic.

I also want to setup log analysis like ELK or Splunk, but haven't got into that yet.
 
I would suggest to use also pfBlockerNG which now supports DNS blocks.


Sent from my iPad using Tapatalk
 
You must log in or register to reply here.

Similar threads

JGrana
New Addon - ChatAI - have a chat session with Googles Gemini AI Bot
Replies
2
Views
249
Viktor Jaep
Viktor Jaep
iJorgen
Optimize blocked events from firewall in the system-log
Replies
5
Views
749
iJorgen
iJorgen
B
For Only RT-AC Models
Replies
2
Views
509
Tech9
Tech9
R
Domain VPN Routing
2
Replies
24
Views
2K
Ranger802004
R
cmkelley
Scribe scribe 3.x_y - syslog-ng and logrotate installer
8 9 10
Replies
190
Views
13K
elorimer
E
Similar threads
Thread starter Title Forum Replies Date
torstein How exactly do IoT smart devices pose a threat to home networks? General Network Security 9

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 855 (members: 22, guests: 833)
Top