Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Resource to "decode" firewall logs?

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      trentdk
      last edited by

      Hi, noob here..

      Jun 13 13:27:31 my.router.internal.ip pf: 14\. 662492 rule 66/0(match): block in on em0: (tos 0x20, ttl 48, id 21005, offset 0, flags [DF], proto TCP (6), length 563) 209.234.225.243.80 > my.wan.ip.4934: P 3015537754:3015538265(511) ack 1045016644 win 14 <nop,nop,timestamp 1575930792="" 1885332785=""></nop,nop,timestamp>

      I'm interested in knowing what things like "pf: 14" and "rule 66/0" mean.

      Thanks!

      pfSense 2.0 BETA at home, pfSense 1.2.3 at work

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        66/0 is the rule number and group number.

        You can view the rule number by looking at pfctl -vvsr

        pf is the name of the process doing the logging, I don't recall what the number in the 14 place meant, might be some kind of timing value. The log messages are vastly different in 2.0 than 1.2.3. The parsing code breaks down the things you really need to see pretty well.

        The details of the log message are probably in the pf docs somewhere.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.