Logging NAT/Firewall/state entries in Pfsense

Sometimes you really need to know what computers on your network were doing yesterday at noon, because you get a nastygram from the MPAA about bittorrent demanding that you do something — but bittorrent is notoriously hard to block.

You can try installing BandwidthD on your Pfsense router, to see who’s using a bunch of bandwidth at that time, and you can look back through DHCP or WiFi logs to see who was connected at the time, but the complaint letter tells you the exact time and port number used. Wouldn’t it be cool if you could log that?

Here’s what I came up with. Download the Cron package for Pfsense, and add a new Cron job:

Minute: 1
Hour/etc: *
Who: root
Command: pfctl -ss | egrep '(>.*>|<.*<)' | logger

The firewall states (who is connected to what) will now dump to your system log every hour — kinda noisy, but also kinda effective for tracking long downloads on random ports.


12 thoughts on “Logging NAT/Firewall/state entries in Pfsense

  1. pankajlele says:

    Hello Will, thanks for your suggestion about NAT logging. As you said above crontab will log system states once in every hour. But will it be possible to have everything logged? Or all states are maintained for 1 hour? question is whether it will miss some of the states and only get random every 1 hour?

  2. Pankaj, you’re correct, only doing it hourly is likely to miss some things. For my purposes, I’m only interested in long-term connections (like Bittorrent downloads) and so it’s good enough for me. But logging on a more-frequent basis would be recommended if you wanted to never miss anything. It’d just generate LOTS of data.

  3. Lucas Amorim says:

    Hello Will, thanks for the article. What if I wanted to log it to a different file? Say nat.log… How should the command be?

  4. Lucas, instead of
    | logger
    you would type:
    >> nat.log
    to append the text output to a file. Look up Linux Pipes, aka I/O Redirection, for details.

  5. Mark says:

    There is one fundamental flaw with this approach. The MPAA never sends an accurate date/time of connections they used to determine a violation. So lining up their claim to any PfSense collected logs will be an exercise in futility. Until MPAA & company provides a utility to search networks, for illegal content, this issue will continue unresolved.

  6. Interesting. You are correct, of course, although last time I received a complaint the timestamp was accurate enough for me to determine the cause. On noisier networks or for smaller files it will definitely be more of a challenge.

  7. Mark says:

    So where does the log file get stored and what is it’s filename? I’d like to see the contents of the output.

  8. There’s no file created, the | logger at the end invokes the system logger. So you should look at the Pfsense system log page, and configure the logging settings to your liking. If the Pfsense syslog doesn’t work for you for some reason, you can always replace the | logger with something else (like >> filename as in the previous comments, or nothing to just see the output on your screen.)

    To break out the command:

    pfctl -ss shows all firewall states (current traffic passing thru the firewall)
    egrep '(>.*>|<.*<)' filters that list to relevant rows only
    | logger outputs that list to syslog (which is useful to me since I have remote syslog configured to papertrail, for improved archiving and search.)

  9. Mark says:

    Hmmm, logger doesn’t put anything in the system log. Not that I would want this much info clobbering the system log anyways. So I entered in the command console pfctl -ss | egrep ‘(>.*>|<.*/var/statesgrep.txt and no file is created. Tried truncating to pfctl -ss >/var/states.txt and get a file output with no date/time stamps.

  10. I’m not sure if the comment editor is mangling your comment or what, but the command I’m seeing in your comment is not going to work very well.

    I’m seeing you wrote: pfctl -ss | egrep ‘(>.*>|.*>|<.*> /var/statesgrep.txt

    The proper command would be: pfctl -ss | egrep ‘(>.*>|<.*<)‘ >> /var/statesgrep.txt

    As for date/time stamps, I think I was relying on the system logger to provide that. It’s not a very elegant solution, but it was enough for me at the time.

    If you need a “business-grade” solution, check out Netflow: https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage#Netflow

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s