system logging - no rule but still logging?

mitoldi · May 17, 2020, 9:44am

Hello,

Running V6.46.6

Just started a week or 2 ago with mt and already a rookie error. Sorry.

As a test i setup a firewall logging rule and an action rule to log to file.
The ideas was to have a look at the file to start setting up filters.
The files grew pretty fast so i disabled and stopped that. Did work, no logging to file.
Then i probably removed the rule without disabling it.

Issue:

The messages still show in memory?
Even after reboot?

Rules and Actions:

[user@node] /system logging> print
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                              ACTION                              PREFIX    
 0  * info                                memory                                        
 1  * error                               memory                                        
 2  * warning                             memory                                        
 3  * critical                            echo                                          
[user@node] /system logging> action print
Flags: * - default 
 0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no 

 1 * name="disk" target=disk disk-file-name="log" disk-lines-per-file=1000 
     disk-file-count=2 disk-stop-on-full=no 

 2 * name="echo" target=echo remember=yes 

 3 * name="remote" target=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 
     bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon 
     syslog-severity=auto

Output in log:

11:38:01 firewall,info <PreFix> input: in:<bridge> out:(unknown 0), src-mac <MAC>, proto UDP, <IP-Address>:54281->255.255.255.255:20561, len 50

Q:

how come the rule is stil active and showing even if it’s not in the rules?
how to get rid if this in memory logging?

Regards

mutluit · May 20, 2020, 8:14pm

What does the following say: /system check-installation

And show the current firewall rules ( “/ip firewall filter print” or any other location where you had added the said fw rule)

mitoldi · May 21, 2020, 2:49pm

thx mutluit for your reaction.

additional info: these lines come in at a high rate, like 150+ per minute

Although i still think it has something todo with a logging rule that has been there but now isn’t anymore.
But as requested here the info.
The only change is the ipfilter 4. That was done on a MT CAPsMAN piece to put the local router WiFi - RB4011iGS+5HacQ2HnD-IN (WiFi model) - under it’s own CAPsMAN too.

[user@node] > /system check-installation
  status: installation is ok

[user@node] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=yes log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    chain=input action=accept src-address-type=local dst-address-type=local 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=yes log-prefix="" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

12    ;;; Allow Winbox
      chain=input action=accept protocol=tcp in-interface-list=LAN src-port=8291 log=yes log-prefix="Winbox"

mutluit · May 21, 2020, 3:37pm

There are many locations in RouterOS where one can define firewall rules, for example at the following incomplete list of locations (also device-dependent):

/ip firewall
address-list calea connection > filter > layer7-protocol > mangle > > nat > > raw > service-port export

/interface bridge
calea > filter > host mdb msti > nat > port settings vlan add comment disable edit enable export find monitor print remove set

/interface ethernet switch acl

/interface ethernet switch acl policer

So you should check your whole config as follows:
/export file=export-all.rsc

and then inspect the file for example so:
/file edit export-all.rsc contents

or download it and analyse on your PC.

And: your above posted firewall rules say this: accept everything that is not explicitly blocked (dropped).
(But: then you can remove the “accept” rules as they are redundant… . Except the “connection-state=established,related…” )

There is also the following alternative possible: block (drop) everything except the explicitly accepted ones.

You should think about these alternatives & decide which is better for your needs.

tdw · May 21, 2020, 4:32pm

Rules 2, 5 & 12 still have log=yes so the messages will be from one of those

mitoldi · May 22, 2020, 4:15pm

Thx, will check the export if i can find something.

Yes, i know, but that was one of the reasons for my firewall logging to memory/file to get information about what is going on and to learn more about firewall rules.
Sofar i used closed router stuff that hides all the firewall stuff. One of the reasons to switch to MikroTik. Want to learn more about firewall rules.

mitoldi · May 22, 2020, 4:23pm

thx tdw for the suggestion,

but that is not the case.
The prefix i mentioned in the original entry is none of these defined in these rules.
The prefix that is still showing in the log is still the one from the rule i created and deleted. but probably forgot to disable first.
So maybe i stumbled into a bug, but i have not got extra hardware/time to test.
So if there is no solution, i might have to reset my complete setup. Saving an export will help to get back up-and-running pretty quick.

The only planning is to be sure that other household users are shopping.

mutluit · May 22, 2020, 5:00pm

@mitoldi, did you export the whole config and searched therein for the said log prefix?

mitoldi · May 23, 2020, 12:01pm

@mutluit

yes, had time to get and check the export.
Found it.

add action=log chain=input comment="Log - xxxx" log=yes \
    log-prefix=<the-prefix>

The line made me think to look in ‘system - logging - rules/actions’ first.
But depending on what you define in rules it is set in the appropriate component, in this case the firewall filter.

I found my mistake in supplying information to y’all.
Doing the ‘/ip firewall filter print’ i didn’t gave all the output.
Too small a window and not looking properly i guess. I gave the lines up to 12 and there are 15!
Sorry

Thanks to these pointers i now know where the issue was and i was able to solved it too.

/ip firewall> filter remove <#>

did the trick.
Thanks to @tdw too to take the time to help.