Firewall LOG problem

bysard · September 20, 2011, 4:09pm

Hi.

I have a strange problem which I was unable to resolve. I’m trying to log all outgoing traffic to a specific IP. Making a firewall rule is simple, dst-address=91.202.65.130, log rule with a prefix. I put this rule in the first positon under firewall filter rules. The thing is when I apply this rule it logs perfectly all data, but only on a specific port on a router (bridge1). On other ports if fails to log src-mac-address, instead it skipps it. I see all the devices in ARP table on the router, that are trying to connect to 91.202.65.130.

e.g.:

Sep/20/2011 18:06:29 firewall,info 24ur forward: in:Bridge-LAN out:VDSL, src-mac 6c:f0:49:77:df:03, proto ICMP (type 8, code 0), 10.22.22.233->91.202.65.130, len 84
Sep/20/2011 18:06:30 firewall,info 24ur forward: in:Bridge-LAN out:VDSL, src-mac 6c:f0:49:77:df:03, proto ICMP (type 8, code 0), 10.22.22.233->91.202.65.130, len 84
Sep/20/2011 18:06:31 firewall,info 24ur forward: in:Bridge-LAN out:VDSL, src-mac 6c:f0:49:77:df:03, proto ICMP (type 8, code 0), 10.22.22.233->91.202.65.130, len 84
Sep/20/2011 18:06:32 firewall,info 24ur forward: in:Bridge-LAN out:VDSL, src-mac 6c:f0:49:77:df:03, proto ICMP (type 8, code 0), 10.22.22.233->91.202.65.130, len 84
Sep/20/2011 18:06:33 firewall,info 24ur forward: in:Bridge-LAN out:VDSL, src-mac 6c:f0:49:77:df:03, proto ICMP (type 8, code 0), 10.22.22.233->91.202.65.130, len 84
Sep/20/2011 18:06:34 firewall,info 24ur forward: in:Bridge-LAN out:VDSL, src-mac 6c:f0:49:77:df:03, proto ICMP (type 8, code 0), 10.22.22.233->91.202.65.130, len 84
Sep/20/2011 18:06:40 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50
Sep/20/2011 18:06:42 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50
Sep/20/2011 18:06:45 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50
Sep/20/2011 18:06:46 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50
Sep/20/2011 18:06:47 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50
Sep/20/2011 18:06:48 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50
Sep/20/2011 18:06:49 firewall,info 24ur forward: in:ether8 out:VDSL, proto ICMP (type 8, code 0), 10.2.20.3->91.202.65.130, len 50

Any clues?

tjc · September 20, 2011, 5:04pm

What does your logging rule look like?

bysard · September 20, 2011, 5:16pm

0 chain=forward action=log dst-address=91.202.65.130 log-prefix=“24ur”

ditonet · September 20, 2011, 11:16pm

@bysard
AFAIK MAC address is logged only for bridged interfaces.

Regards,

bysard · September 21, 2011, 5:18am

ditonet you are right. Dunno why but it really only logs MAC addresses from bridge devices. Thank you for this answer. Helped me a lot.