Jump to content

Logging of dropped packets/blocked connections in Interactive Firewall mode


Recommended Posts

  • Administrators
22 hours ago, SeriousHoax said:

Description: Logging of dropped packets/blocked connections in Interactive Firewall mode

Detail: When I deny access to something in Interactive firewall mode there's no way to later check what site that particular app tried to connect. It would be very useful if all the dropped packets can be log so that one can later check everything and do the research if required. This logging shouldn't be enabled by default but there should be an option to enable that when the user activate Interactive mode from advanced settings.

You can enable logging of blocked communications, however, this is not recommended as the firewall log may grow quickly.

Link to comment
Share on other sites

6 hours ago, Marcos said:

You can enable logging of blocked communications, however, this is not recommended as the firewall log may grow quickly.

Can you please tell me the process of enabling that? I am looking for blocked communication logs only. As most of the things are allowed by my rules the blocked log will not be huge for me.

Link to comment
Share on other sites

3 hours ago, SeriousHoax said:

Can you please tell me the process of enabling that?

Appears to be the setting indicated in the below screen shot. Also, enabling this will most likely create log entries for all network activity; not just blocked connections:

Eset_Net_Adv_Logging.thumb.png.80a841ccc902a10c1cd088c902d0a784.png

Link to comment
Share on other sites

3 hours ago, itman said:

Appears to be the setting indicated in the below screen shot. Also, enabling this will most likely create log entries for all network activity; not just blocked connections:

Eset_Net_Adv_Logging.thumb.png.80a841ccc902a10c1cd088c902d0a784.png

You're right. This is for all network activity. There's no way to log blocked communications in interactive firewall mode.

Link to comment
Share on other sites

3 minutes ago, Marcos said:

I forgot, this was moved to diagnostic logging in the past:

image.png

I'm sorry I'm still confused. If I select diagnostic then it will log blocked connections?

Link to comment
Share on other sites

4 minutes ago, Marcos said:

I forgot, this was moved to diagnostic logging in the past:

image.png

That option still exists. But enabling it will cause everything to be written to all log files.

Link to comment
Share on other sites

4 minutes ago, itman said:

That option still exists. But enabling it will cause everything to be written to all log files.

I see. This isn't an ideal solution since I'm looking for blocked firewall log only.

Link to comment
Share on other sites

The only way I know of to log blocked network connections when the firewall is set to Interactive mode is to create an Ask rule to monitor any network inbound and outbound traffic for any protocol. Set the Event log level to Diagnostic - maybe. I am not sure that the Diagnostic level will write a log entry for manually responded to Ask level rules but I believe it does so for blocked activity. Otherwise, you will have to experiment with the other logging level options.

The restriction with the above is the created Ask rule must always be at the end of the existing rule set. Which means every time a new firewall rule is created, this Ask rule must also be manually moved to the end of the existing rule set.

Edited by itman
Link to comment
Share on other sites

A bit of Eset history here.

As I recollect, this above noted end of rule set Ask rule used to be generated automatically when the firewall was set to Interactive mode. Eset eliminated the rule when it added the Network Wizard feature; a feature I really don't care for.

Link to comment
Share on other sites

Reflecting on my previous above Eset history posting a bit, I always viewed this as an Eset screw up. The way things should work when firewall Interactive is enabled are as follows:

1. Network Wizard is internally disabled since it is non-applicable.

2. An Eset default Ask rule as described previously is auto generated at the end of the existing rule set. As with all Eset default firewall rules, the only thing modifiable would be the Event log setting.

3. Any firewall rules created thereafter in Interactive mode would always be created prior to the generated default Ask rule.

When Interactive mode is changed to another mode, the above actions would be reversed; Network Wizard enabled and default Ask rule deleted.

Link to comment
Share on other sites

1 hour ago, itman said:

The only way I know of to log blocked network connections when the firewall is set to Interactive mode is to create an Ask rule to monitor any network inbound and outbound traffic for any protocol. Set the Event log level to Diagnostic - maybe. I am not sure that the Diagnostic level will write a log entry for manually responded to Ask level rules but I believe it does so for blocked activity. Otherwise, you will have to experiment with the other logging level options.

The restriction with the above is the created Ask rule must always be at the end of the existing rule set. Which means every time a new firewall rule is created, this Ask rule must also be manually moved to the end of the existing rule set.

I just tried this. It works when the log is set to Information/Warning. But it only logs ip addresses not domains 😕

Edited by SeriousHoax
Link to comment
Share on other sites

10 minutes ago, itman said:

Reflecting on my previous above Eset history posting a bit, I always viewed this as an Eset screw up. The way things should work when firewall Interactive is enabled are as follows:

1. Network Wizard is internally disabled since it is non-applicable.

2. An Eset default Ask rule as described previously is auto generated at the end of the existing rule set. As with all Eset default firewall rules, the only thing modifiable would be the Event log setting.

3. Any firewall rules created thereafter in Interactive mode would always be created prior to the generated default Ask rule.

When Interactive mode is changed to another mode, the above actions would be reversed; Network Wizard enabled and default Ask rule deleted.

I didn't even notice this network wizard. What is its purpose?

Link to comment
Share on other sites

1 minute ago, SeriousHoax said:

But it only logs ip address not the domain

That's by design since the firewall only supports IP addresses. Ditto for most other firewalls.

Link to comment
Share on other sites

2 minutes ago, itman said:

That's by design since the firewall only supports IP addresses. Ditto for most other firewalls.

Oh. But since Eset's interactive mode can show the domain it wouldn't hurt to log this info also.

z.png.5c6682f0967897fc8b857f002bf8097c.png

Link to comment
Share on other sites

16 minutes ago, SeriousHoax said:

I didn't even notice this network wizard. What is its purpose?

That's an interesting question and the answer depends on why the feature was developed.

Basically it's a way for nob users to auto create a firewall rule for a connection Eset blocked. By simply clicking on the Unblock tab, a "permissive" firewall rule as the Eset mods phrase it is created. "The devil in the detail" is the rule created is just that - permissive. For example if a program network communication is blocked, the rule created will allow all network communication for the program.

The main problem with Network Wizard is you have no idea that Eset blocked any network connections unless you open the Eset GUI and then Network Settings.🙄

Edited by itman
Link to comment
Share on other sites

7 minutes ago, itman said:

That's an interesting question and the answer depends on why the feature was developed.

Basically it's a way for nob users to auto create a firewall rule for a connection Eset blocked. By simply clicking on the Unblock tab, a "permissive" firewall rule as the Eset mods phrase it is created. "The devil in the detail" is the rule created is just that - permissive. For example if a program network communication is blocked, the rule created will allow all network communication for the program.

Oh. It never occurred to me so I haven't notice this yet.

Link to comment
Share on other sites

In regards to my above recommendations posting: https://forum.eset.com/topic/23153-logging-of-dropped-packetsblocked-connections-in-interactive-firewall-mode/?do=findComment&comment=112031 , it appears presently that a hidden "Ask" rule is run after all existing firewall rules have been parse in Interactive mode. 

As such, I would recommended that Eset by default log all activity resulting from a firewall alert while in Interactive mode. Eset rule creation is not the "most straightforward" process in that Advanced settings must be accessed and appropriate check boxes marked. Or simply the Allow action is selected, and a permissive rule created. Having a log entry showing all applicable original network activity as a reference point would be very beneficial in post event forensic analysis.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...