Community discussions

MikroTik App
 
User avatar
mitoldi
just joined
Topic Author
Posts: 5
Joined: Sun May 17, 2020 12:05 pm
Location: Netherlands

system logging - no rule but still logging?

Sun May 17, 2020 12:44 pm

Hello,

Running V6.46.6

Just started a week or 2 ago with mt and already a rookie error. Sorry.

As a test i setup a firewall logging rule and an action rule to log to file.
The ideas was to have a look at the file to start setting up filters.
The files grew pretty fast so i disabled and stopped that. Did work, no logging to file.
Then i probably removed the rule without disabling it.

Issue:
- The messages still show in memory?
- Even after reboot?

Rules and Actions:
[user@node] /system logging> print
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                              ACTION                              PREFIX    
 0  * info                                memory                                        
 1  * error                               memory                                        
 2  * warning                             memory                                        
 3  * critical                            echo                                          
[user@node] /system logging> action print
Flags: * - default 
 0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no 

 1 * name="disk" target=disk disk-file-name="log" disk-lines-per-file=1000 
     disk-file-count=2 disk-stop-on-full=no 

 2 * name="echo" target=echo remember=yes 

 3 * name="remote" target=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 
     bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon 
     syslog-severity=auto 


Output in log:
11:38:01 firewall,info <PreFix> input: in:<bridge> out:(unknown 0), src-mac <MAC>, proto UDP, <IP-Address>:54281->255.255.255.255:20561, len 50 

Q:
- how come the rule is stil active and showing even if it's not in the rules?
- how to get rid if this in memory logging?

Regards
Regards, mitoldi
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: system logging - no rule but still logging?

Wed May 20, 2020 11:14 pm

What does the following say: /system check-installation

And show the current firewall rules ( "/ip firewall filter print" or any other location where you had added the said fw rule)
 
User avatar
mitoldi
just joined
Topic Author
Posts: 5
Joined: Sun May 17, 2020 12:05 pm
Location: Netherlands

Re: system logging - no rule but still logging?

Thu May 21, 2020 5:49 pm

thx mutluit for your reaction.

additional info: these lines come in at a high rate, like 150+ per minute

Although i still think it has something todo with a logging rule that has been there but now isn't anymore.
But as requested here the info.
The only change is the ipfilter 4. That was done on a MT CAPsMAN piece to put the local router WiFi - RB4011iGS+5HacQ2HnD-IN (WiFi model) - under it's own CAPsMAN too.
[user@node] > /system check-installation
  status: installation is ok

[user@node] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=yes log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    chain=input action=accept src-address-type=local dst-address-type=local 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=yes log-prefix="" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

12    ;;; Allow Winbox
      chain=input action=accept protocol=tcp in-interface-list=LAN src-port=8291 log=yes log-prefix="Winbox" 

Regards, mitoldi
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: system logging - no rule but still logging?

Thu May 21, 2020 6:37 pm

There are many locations in RouterOS where one can define firewall rules, for example at the following incomplete list of locations (also device-dependent):
/ip firewall
address-list calea connection filter layer7-protocol mangle nat raw service-port export

/interface bridge
calea filter host mdb msti nat port settings vlan add comment disable edit enable export find monitor print remove set

/interface ethernet switch acl

/interface ethernet switch acl policer
So you should check your whole config as follows:
/export file=export-all.rsc

and then inspect the file for example so:
/file edit export-all.rsc contents

or download it and analyse on your PC.


And: your above posted firewall rules say this: accept everything that is not explicitly blocked (dropped).
(But: then you can remove the "accept" rules as they are redundant... :-). Except the "connection-state=established,related..." )

There is also the following alternative possible: block (drop) everything except the explicitly accepted ones.

You should think about these alternatives & decide which is better for your needs.
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: system logging - no rule but still logging?

Thu May 21, 2020 7:32 pm

Rules 2, 5 & 12 still have log=yes so the messages will be from one of those
 
User avatar
mitoldi
just joined
Topic Author
Posts: 5
Joined: Sun May 17, 2020 12:05 pm
Location: Netherlands

Re: system logging - no rule but still logging?

Fri May 22, 2020 7:15 pm

Thx, will check the export if i can find something.

And: your above posted firewall rules say this: accept everything that is not explicitly blocked (dropped).
(But: then you can remove the "accept" rules as they are redundant... :-). Except the "connection-state=established,related..." )

There is also the following alternative possible: block (drop) everything except the explicitly accepted ones.

You should think about these alternatives & decide which is better for your needs.
Yes, i know, but that was one of the reasons for my firewall logging to memory/file to get information about what is going on and to learn more about firewall rules. 8)
Sofar i used closed router stuff that hides all the firewall stuff. One of the reasons to switch to MikroTik. Want to learn more about firewall rules.
Last edited by mitoldi on Fri May 22, 2020 7:24 pm, edited 1 time in total.
Regards, mitoldi
 
User avatar
mitoldi
just joined
Topic Author
Posts: 5
Joined: Sun May 17, 2020 12:05 pm
Location: Netherlands

Re: system logging - no rule but still logging?

Fri May 22, 2020 7:23 pm

thx tdw for the suggestion,
Rules 2, 5 & 12 still have log=yes so the messages will be from one of those
but that is not the case.
The prefix i mentioned in the original entry is none of these defined in these rules.
The prefix that is still showing in the log is still the one from the rule i created and deleted. but probably forgot to disable first.
So maybe i stumbled into a bug, but i have not got extra hardware/time to test.
So if there is no solution, i might have to reset my complete setup. Saving an export will help to get back up-and-running pretty quick.

The only planning is to be sure that other household users are shopping. :lol:
Regards, mitoldi
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: system logging - no rule but still logging?  [SOLVED]

Fri May 22, 2020 8:00 pm

@mitoldi, did you export the whole config and searched therein for the said log prefix?
 
User avatar
mitoldi
just joined
Topic Author
Posts: 5
Joined: Sun May 17, 2020 12:05 pm
Location: Netherlands

Re: system logging - no rule but still logging?

Sat May 23, 2020 3:01 pm

@mutluit

yes, had time to get and check the export.
Found it. :)
add action=log chain=input comment="Log - xxxx" log=yes \
    log-prefix=<the-prefix>
The line made me think to look in 'system - logging - rules/actions' first.
But depending on what you define in rules it is set in the appropriate component, in this case the firewall filter.

I found my mistake in supplying information to y'all.
Doing the '/ip firewall filter print' i didn't gave all the output.
Too small a window and not looking properly i guess. I gave the lines up to 12 and there are 15!
Sorry :oops:

Thanks to these pointers i now know where the issue was and i was able to solved it too.
/ip firewall> filter remove <#>
did the trick.
Thanks to @tdw too to take the time to help.
Regards, mitoldi

Who is online

Users browsing this forum: solar77 and 56 guests