Firewall Rule "Log Traffic" Option

Where can I find the log for a given firewall rule when I choose "Log Traffic"?  I am trying to see outbound traffic on port 22, so I created a separate rule for it and set it to log, but I can't find the log.  I want to lock it down to just a few destination IP addresses and need to know what is being used.

  • Obviously the rule needs to be set to log and above the rule that will allow any traffic etc

    Logs are in firewall log and you're looking for something similar to dstport="22"

    There is also Network Usage > Bandwidth Usage > Top client by service and enter port 22. You will see all connections on port 22 but you should be able to spot your local ones in there. Alternatively, export it to csv (top right hand corner) and filter the csv file from there.

    You could also use something like iview3 or a free syslogger.

  • In reply to Louis-M:

    If I search the log and the only results are blocked and dropped *inbound* traffic, does that mean that there were no attempts to use ssh to go *outbound*?  In other words all the results show:

    external address:random port ---> internal address:port 22

     

    I don't see anything for:

    internal address:random port ---> external address:port 22

  • In reply to K M:

    If that's the case, my guess is you ain't hitting the rule to log it.

    Move the rule you made to the top with destination port TCP 22 or SSH. Ensure logging is on that rule. Open up firewall live log viewer, try and connect to external SSH server and you should see the connection attempt in the live log. You can filter by the ip you are trying from to make it a little easier to see. You need to see it in that log for it to be logged.

  • In reply to Louis-M:

    I moved the rule to the top, opened the live log viewer, connected to a known external ssh server and nothing appeared in the log.

  • In reply to K M:

    Have you got any automatic firewall rules enabled? You need to show all rules. First rule to match will get the traffic.

    If your rule is at the top and it's say for example YOUR LAN > PORT 22 or SSH > ANY or INTERNET (and log is ticked), it should show.

    If you have for example YOUR LAN > ANY > ANY or INTERNET above the example rule specified above, your SSH traffic will never get to the SSH rule below.

  • In reply to K M:

    Is 22 down as TCP? It's easier to add SSH in there.....

  • In reply to Louis-M:

    Ha - now I feel foolish.  I had it down as UDP.  Thanks - problem solved.