Where in LuCI can I see records of the network flows dropped by the firewall? I can see existing connections that are allowed through the firewall, but I can't figure out how to see the flows that are blocked / dropped?
Thank you.
Thanks. I’ve enabled logging and can see dropped packets in the system log. Once I get syslog server working, will this information be sent to the syslog server?
Thanks.
Yes, all logs will be included in what is sent to syslog server
2 Likes
Unfortunately, OpenWRT is not sending to a remote syslog server the messages about the packets that the firewall drops even though those messages appear in the OpenWRT's System Log.
Any idea how to get the messages about the packets dropped by the firewall to be be sent to a remote syslog server? I've enabled the highest level of logging in OpenWRT.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
My problem is not solved. I'm not receiving any messages about packets dropped by the firewall in a remote syslog server, whereas they show up in the System Log server in OpenWRT.
really? what exactly can you not see in your system log?
Yes, and you created a thread for that issue right?
This thread mentions nothing about syslog in the OP... and duplicate threads are poor etiquette FYI, turns people right off wanting to assist you.
So you confirm you see a firewall log entry with logread that you don't see on your syslog server?
I would then assume that it is a filter on your syslog server, can you show us your syslog server config?
Here is what I get:
Via logread
Fri Oct 23 02:41:36 2020 daemon.err uhttpd[11244]: luci: accepted login on / for root from 192.168.180.50
Fri Oct 23 02:42:15 2020 kern.warn kernel: [18281161.107332] REJECT OVPN in: IN=tun1 OUT= MAC= SRC=10.20.0.10 DST=192.168.130.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31126 DF PROTO=TCP SPT=60466 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
On syslog server
Oct 23 02:41:36 router uhttpd[11244]: luci: accepted login on / for root from 192.168.180.50
Oct 23 02:42:15 router kernel: [18281161.107332] REJECT OVPN in: IN=tun1 OUT= MAC= SRC=10.20.0.10 DST=192.168.130.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31126 DF PROTO=TCP SPT=60466 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
I don't have a filter on the syslog server. Once difference between your config and mine is that I'm dropping packets, whereas you are rejecting them. What level of logging is used for the REJECT / DROP messages?
Not the issue here
Oct 23 02:59:24 router kernel: [18282189.594385] DROP OVPN_NWW in: IN=tun1 OUT= MAC= SRC=10.20.0.10 DST=192.168.130.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4538 DF PROTO=TCP SPT=60468 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Why are you asking you said you don't have a filter?
But to answer your question:
kern.warn kernel: [18282198.233840] DROP
My syslog server doesn’t have a filter, but OpenWRT does. I set OpenWRT for Debugging, but the firewall drop messages are not showing up in my syslog server. In fact, the only OpenWRT messages that I see are dnsmasq (DNS and DHCP) messages.
Well if you want to see if it is an issue on the Openwrt or your Syslog server side I suggest to run tcpdump on port 514 on your Syslog server, trigger a firewall drop message and see if you receive a package on port 514.
1 Like
I found this:
and this:
If my quick scan read it correctly both threads are about sending too much not too less.
Do my suggested test and you know where to start digging.
And just to share my config.
option conloglevel '8'
option cronloglevel '8'
1 Like
My cronloglevel was set to 5, but conloglevel was set to 8. But, I'm still not seeing drop messages.
Well only can repeat my suggestion
I will do it tomorrow. It's late here. Thanks.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.