Help understanding the logs

Murus
Post Reply
evansgo
Posts: 3
Joined: Fri May 29, 2015 9:40 am

Help understanding the logs

Post by evansgo » Sat Jun 27, 2015 7:47 am

I've got Murus Pro 1.2 running with Logs visualiser (my Macs address is 192.168.x.101) and am having a few problems understanding what I am seeing, would someone help please...

I have a largely standard firewall initially set up as intermediate and used mostly recommended settings. I then set up auto manage ports and selected the allow access from local networks option and auto update and this produced a bunch of ports that looks like they are set up for local access so it looks as if this worked.

As I understand it this should allow any local network traffic to auto setup, is this correct?

The trouble I am having it that my IP cameras are not working quite right. I can connect to the config screens but get no video unless I disable the firewall, then instantly the video streams. So I must be doing something wrong as I would have expected the firewall to auto update (Murus is running at this time)

So I am looking in the logs and seeing a LOT of entries from my media MAC 192.168.x.100 being blocked to 192.168.x.255, why is another MAC showing up in these logs and what is the 192.168.x.255 address for?

Several of my local MACS are showing blocked connections in the logs, I would have expected with my setup to have no local network machines blocked for anything, or have it totally misunderstood what I am doing??

Last question and I have read the manual but cannot see this answered - If I amend the ports to allow / deny services, restart Muras to make it active, do I also have to save it via the menu and then over-wrtite the boot scripts or is this all done automatically?

Thanks

hany
Posts: 457
Joined: Wed Dec 10, 2014 5:20 pm

Re: Help understanding the logs

Post by hany » Mon Jun 29, 2015 1:36 pm

I've got Murus Pro 1.2 running with Logs visualiser (my Macs address is 192.168.x.101) [...]
Is that a typo? You Macs address is probably 192.168.101.x ... isn't it?
Anyway....

I have a largely standard firewall initially set up as intermediate and used mostly recommended settings. I then set up auto manage ports and selected the allow access from local networks option and auto update and this produced a bunch of ports that looks like they are set up for local access so it looks as if this worked.

As I understand it this should allow any local network traffic to auto setup, is this correct?
I assume "local traffic" is the traffic on your LAN: so yes, you have enabled INBOUND traffic from your LAN's hosts to your Mac's services. Please note that if you close Murus and open a new service, this service will not be automatically managed. Murus needs to be running. Please also note that OUTBOUND traffic is not affected by the Murus ports management system.
The trouble I am having it that my IP cameras are not working quite right. I can connect to the config screens but get no video unless I disable the firewall, then instantly the video streams.


Ok
So I must be doing something wrong as I would have expected the firewall to auto update (Murus is running at this time)
I don't think you are doing something wrong. What you did is not wrong, it is probably not enough.
So I am looking in the logs and seeing a LOT of entries from my media MAC 192.168.x.100 being blocked to 192.168.x.255
hmmm.. I'm a bit confused.
why is another MAC showing up in these logs and what is the 192.168.x.255 address for
I think I need you to explain me how you set up you network, how hosts are connected, what's their real IP and subnet address, including your IP cameras. I suspect that you failed to configure your ipv4 network, and probably cams are working over IPv6 when Murus is disabled. But I'm a bit confused, I need you to provide me more specific information about your overall network settings :)
Anyway the 192.168.x.255 addresses are (typically) broadcast addresses, not real addresses. No real hardware is associated with a .255 IP address.
Several of my local MACS are showing blocked connections in the logs, I would have expected with my setup to have no local network machines blocked for anything, or have it totally misunderstood what I am doing??
Again, I need a bit more info here. Do all your Macs use Murus, and they use the same PF settings?
Anyway it is common to see blocked connections in logs, even if you allowed all traffic. This may happen for many reasons. For example PF blocks unsolicited acks, which is the most common reason for "unexpected" logs entries. However every log lines has its own reason to be there. Looking at the log you can see which PF rule has generated the block, this may be useful to understand what happens.
Last question and I have read the manual but cannot see this answered - If I amend the ports to allow / deny services, restart Murus to make it active, do I also have to save it via the menu and then over-wrtite the boot scripts or is this all done automatically?
Murus Boot Scripts do not contain the firewall configuration, they don't need to be updated. You just need to install them once, then forget them.
Every time you click PLAY in the Murus toolbar, runtime PF rules are updated, and PF configuration files are updated too.

Ok, probably now you are a bit frustrated because I didn't solve your issue... but please give me some more info and I will do my best.

evansgo
Posts: 3
Joined: Fri May 29, 2015 9:40 am

Re: Help understanding the logs

Post by evansgo » Mon Jun 29, 2015 3:32 pm

hany wrote:
I've got Murus Pro 1.2 running with Logs visualiser (my Macs address is 192.168.x.101) [...]
Is that a typo? You Macs address is probably 192.168.101.x ... isn't it?
Anyway....

No it was just me trying not to write my internal IP address the X just stands for 9. (192.168.9.101)
I have a largely standard firewall initially set up as intermediate and used mostly recommended settings. I then set up auto manage ports and selected the allow access from local networks option and auto update and this produced a bunch of ports that looks like they are set up for local access so it looks as if this worked.

As I understand it this should allow any local network traffic to auto setup, is this correct?
I assume "local traffic" is the traffic on your LAN: so yes, you have enabled INBOUND traffic from your LAN's hosts to your Mac's services. Please note that if you close Murus and open a new service, this service will not be automatically managed. Murus needs to be running. Please also note that OUTBOUND traffic is not affected by the Murus ports management system.

Yes understand all that and yes it is my local LAN.
The trouble I am having it that my IP cameras are not working quite right. I can connect to the config screens but get no video unless I disable the firewall, then instantly the video streams.


Ok

I've fixed this by manually adding the ports that were being blocked, and it is now working, but I don't understand why Murus didn't auto add them (it was running)
So I must be doing something wrong as I would have expected the firewall to auto update (Murus is running at this time)
I don't think you are doing something wrong. What you did is not wrong, it is probably not enough.
:)
So I am looking in the logs and seeing a LOT of entries from my media MAC 192.168.x.100 being blocked to 192.168.x.255
hmmm.. I'm a bit confused.
why is another MAC showing up in these logs and what is the 192.168.x.255 address for
I think I need you to explain me how you set up you network, how hosts are connected, what's their real IP and subnet address, including your IP cameras. I suspect that you failed to configure your ipv4 network, and probably cams are working over IPv6 when Murus is disabled. But I'm a bit confused, I need you to provide me more specific information about your overall network settings :)
Anyway the 192.168.x.255 addresses are (typically) broadcast addresses, not real addresses. No real hardware is associated with a .255 IP address.

No, the IP4 is all working fine although I'm sure its hard to diagnose without knowing it all, I'm confused and I'm in front of it... :)
I have reasonable network knowledge, so I'm happy that side is working ok. The media box is 192.168.9.100 and my main mac, 192.168.9.101 was logging the blocks to 192.168.9.255 no idea why its broadcasting my maybe Plex is going odd stuff, it was why it was showing up in my log at all which was what was confusing me.

Several of my local MACS are showing blocked connections in the logs, I would have expected with my setup to have no local network machines blocked for anything, or have it totally misunderstood what I am doing??
Again, I need a bit more info here. Do all your Macs use Murus, and they use the same PF settings?
Anyway it is common to see blocked connections in logs, even if you allowed all traffic. This may happen for many reasons. For example PF blocks unsolicited acks, which is the most common reason for "unexpected" logs entries. However every log lines has its own reason to be there. Looking at the log you can see which PF rule has generated the block, this may be useful to understand what happens.

Sorry not being clear, I only have Murus on the one (192.168.9.101) so I really meant log, not logs. One example for instance, I am seeing a few of these logs "Jun 27 12:05:37 Gareths-iMac pf[438]: 00:00:03.096377 rule 11/0(match): block out on en0: 192.168.9.101.55222 > 83.170.124.xx.143: Flags [R.], seq 1, ack 1, win 4096, length 0". I think that its my website hosts' IP so maybe email - but why is it being blocked? (my emails seem to be working OK)
And how do I find the line in the config from this? (sorry I have a feeling this was in a tutorial somewhere but I cannot find it)
Last question and I have read the manual but cannot see this answered - If I amend the ports to allow / deny services, restart Murus to make it active, do I also have to save it via the menu and then over-wrtite the boot scripts or is this all done automatically?
Murus Boot Scripts do not contain the firewall configuration, they don't need to be updated. You just need to install them once, then forget them.
Every time you click PLAY in the Murus toolbar, runtime PF rules are updated, and PF configuration files are updated too.

Ah OK that helps thanks.

Ok, probably now you are a bit frustrated because I didn't solve your issue... but please give me some more info and I will do my best.
Not at all, I'm glad you have taken the time to help - thank you.

hany
Posts: 457
Joined: Wed Dec 10, 2014 5:20 pm

Re: Help understanding the logs

Post by hany » Mon Jun 29, 2015 4:23 pm

I've fixed this by manually adding the ports that were being blocked, and it is now working, but I don't understand why Murus didn't auto add them (it was running)
Glad to know that it works :)
I don't know why Murus did not automatically manage these ports. There could be many reasons. For example Murus ports management ignores ports from 49152 to 65535 by design. But probably this is not your case. However I can't tell you much more, every IP cam and clients is different.

Sorry not being clear, I only have Murus on the one (192.168.9.101) so I really meant log, not logs. One example for instance, I am seeing a few of these logs "Jun 27 12:05:37 Gareths-iMac pf[438]: 00:00:03.096377 rule 11/0(match): block out on en0: 192.168.9.101.55222 > 83.170.124.xx.143: Flags [R.], seq 1, ack 1, win 4096, length 0". I think that its my website hosts' IP so maybe email - but why is it being blocked? (my emails seem to be working OK)

Code: Select all

Jun 27 12:05:37 Gareths-iMac pf[438]: 00:00:03.096377 rule 11/0(match): block out on en0: 192.168.9.101.55222 > 83.170.124.xx.143: Flags [R.], seq 1, [b][i][u]ack 1[/u][/i][/b], win 4096, length 0
This is an unsolicited outbound ack. These kind of connections are blocked because a PF state has expired. This is normal, you'll see a lot of this stuff on your log file. These are mostly outbound connections. You can safely ignore such logs. And yes, they do not affect clients, as you can see, Mail works normally. Usually this log lines are generated by the Murus global blocking rule.
And how do I find the line in the config from this? (sorry I have a feeling this was in a tutorial somewhere but I cannot find it)
In Murus Logs Visualizer, in the Simplified Logs window, double-click a log entry to display the information popover view. Look at the bottom, you'll see the complete log lines, for example:

Code: Select all

Jun 26 12:04:09 MacBookPro.local pf[295]: 00:00:00.069160 rule 11/0(match): block out on en0: 192.168.2.2.49181 > 17.158.28.13.443: Flags [FP.], seq 0:445, ack 1, win 8192, length 445
You must look at the "rule" keyword:

Code: Select all

rule 11/0(match)
This means "rule 11 in the root anchor".
Open the Murus runtime rules browser to find the rule. On most Murus configurations rule 11 is the generic IPv4 block rule, I bet this is your case.

Tutorials has been removed from current online manual. I'm going to update and correct them, they will be available very soon.

Post Reply