Flooding Drop Logs

slomman · November 7, 2017, 1:26pm

Hello together,

my drop-filter log is too fluted, so i can’t see the valuable information. The connection is established from client A to the internet. The connection is broken or is kicked out, i don´t know. The server is still sending out ACK or RST packets. This floods the logfile unnecessarily.

May it be due to the Stateful Packet Inspection or connection tracking timeout?
How do I change the rule?

2017-11-07T11:28:07.000587+01:00  firewall,info Node1: Standard-VERWERFEN_Sub  proto TCP (ACK), 126.24.33.133:80->10.1.9.20:50467, len 40
2017-11-07T11:28:07.000587+01:00  firewall,info Node1: Standard-VERWERFEN_Sub  proto TCP (ACK), 126.24.33.133:80->10.1.9.20:50468, len 40
2017-11-07T11:28:07.000588+01:00  firewall,info Node1: Standard-VERWERFEN_Sub  proto TCP (ACK), 126.24.33.133:80->10.1.9.20:50467, len 40
2017-11-07T11:28:07.000587+01:00  firewall,info Node1: Standard-VERWERFEN_Sub  proto TCP (ACK), 126.24.33.133:80->10.1.9.20:50468, len 40

other example:

2017-11-07T11:26:17.451221+01:00  firewall,info Node1: Standard-VERWERFEN_Sub proto TCP (RST), 24.63.146.162:80->10.1.9.10:55336, len 40
2017-11-07T11:26:17.451221+01:00  firewall,info Node1: Standard-VERWERFEN_Sub proto TCP (RST), 24.63.146.162:80->10.1.9.10:55337, len 40
2017-11-07T11:26:17.451231+01:00  firewall,info Node1: Standard-VERWERFEN_Sub proto TCP (RST), 24.63.146.162:80->10.1.9.10:55336, len 40
2017-11-07T11:26:17.451231+01:00  firewall,info Node1: Standard-VERWERFEN_Sub proto TCP (RST), 24.63.146.162:80->10.1.9.10:55337, len 40

My Rules Set

 0   chain=input action=accept connection-state=established,related log=no log-prefix=""
 1   chain=output action=accept connection-state=established,related log=no log-prefix=""
 2   chain=forward action=accept connection-state=established,related log=no log-prefix=""
many other rules 
.
.
# Drop all internal networks 
84  chain=forward action=drop dst-address=10.0.0.0/8 log=yes log-prefix="Standard-VERWERFEN_Sub"
#  ANY to internet firewall 
85  chain=forward action=accept dst-address=0.0.0.0/0 log=no log-prefix="ANY-UTM"

I hope my issue got clear, tell me if you need any further information

Best regards,
Stephan

Cha0s · November 7, 2017, 3:58pm

Firewall log rules do not log connections but matched packets.

What you see in the logs is perfectly normal. When a connection is established many many packets can flow through the router during its lifetime.

The firewall logs each individual packet that each rule matches (and is configured to log it).