Resource to "decode" firewall logs?
-
Hi, noob here..
Jun 13 13:27:31 my.router.internal.ip pf: 14\. 662492 rule 66/0(match): block in on em0: (tos 0x20, ttl 48, id 21005, offset 0, flags [DF], proto TCP (6), length 563) 209.234.225.243.80 > my.wan.ip.4934: P 3015537754:3015538265(511) ack 1045016644 win 14 <nop,nop,timestamp 1575930792="" 1885332785=""></nop,nop,timestamp>
I'm interested in knowing what things like "pf: 14" and "rule 66/0" mean.
Thanks!
-
66/0 is the rule number and group number.
You can view the rule number by looking at pfctl -vvsr
pf is the name of the process doing the logging, I don't recall what the number in the 14 place meant, might be some kind of timing value. The log messages are vastly different in 2.0 than 1.2.3. The parsing code breaks down the things you really need to see pretty well.
The details of the log message are probably in the pf docs somewhere.