Firewall Logs with Unavailable Matched Rule and Empty Tracker ID
-
That happens if the rule is no longer present in the ruleset when the log page is displayed. So commonly for old logs if it was something dynamically created like a UPnP rule or a scheduled rule.
Those look like reply traffic though so it could just be an expired state and the ruleset changed since.
-
I have the same issue. It's always on WAN with rule (), destination protocol is UDP with no port. This is happening since the latest update to 2.8.0.
The firewall was rebooted multiple times. -
@stephenw10 wasn't there another thread with these - notice the reason is short, I don't think those are blocked because of a specific rule - so not sure there is anything it can show for RID
-
Yup there was. It hit's that and doesn't match any rules because it's a short packet. So some invalid packets arriving at pf.
-
@johnpoz said in Firewall Logs with Unavailable Matched Rule and Empty Tracker ID:
wasn't there another thread with these
Yes, it was me. Same situation (version and protocol).
-
@marchand.guy I am not up to speed on what the pf firewall pfsense uses does with "short" packets.. But logically if the packet is malformed in someway its not going to be able to do anything with it, etc.
I don't recall ever seeing such entries ever.. But maybe they are only logged when you log default deny or something, which I have off.. Or maybe just have never seen a "short"
But for sure its not a valid packet/fragment, or why would it be labeled "short".. I would assume most likely has to do with the scrubbing functionality.
-
@johnpoz said in Firewall Logs with Unavailable Matched Rule and Empty Tracker ID:
But maybe they are only logged when you log default deny
I have it off also. It looks to me like this version, 2.8, did a nice job of wiping many bugs but, some others seam to be popping. Like any "new" version, I suppose.
-
@marchand.guy what we need is a better understanding of what pfsense actually means when it gives a reason of "short" - I assume it has to do with the scrubbing functionality..
Is something not working? You could try disable scrub to see if those log messages go away.
I don't recall ever seeing such a block ever.. Since that is udp to 443, I would assume a quic connection.. That IP is a china telecom IP..
inetnum: 101.224.0.0 - 101.231.255.255 netname: CHINANET-SH descr: CHINANET SHANGHAI PROVINCE NETWORK descr: China Telecomwhat is trying to talk to that IP? I would look in your state table to see what client is talking to that..
I don't see you ever connecting to the forums with a IPv4 address, only IPv6 and not a china telecom IPv6 address
-
@johnpoz In cas this was not clear, the question is meant for @aarontry1
-
Mmm, I've never seen that here either.
