Relating Error Message back to the GUI

guardian · Jan 14, 2017, 8:50 AM

Can someone please tell me… if I see something like this in the firewall logs

Jan 14 02:53:13 LAN Default Block (1483693418) 192.168.1.10:33732 127.0.0.1:8443 TCP:S

What does the number (1483693418) mean?

Can I used the shell to look in some file that will give me a hint as to what is causing the item to be blocked?

Any suggestions would me much appreciated.

KOM · Jan 16, 2017, 3:45 PM

The hint is that it's the default block on LAN. Normally LAN has no rules other than an Allow Any for All which gives full access from LAN. Have you modified the default LAN rules?

guardian · Jan 17, 2017, 12:19 AM

Thanks…. that makes sense... got it figured out.

What does the number (1483693418) refer to?
Is it useful for troubleshooting?

doktornotor · Jan 17, 2017, 8:08 AM

@guardian:

What does the number (1483693418) refer to?
Is it useful for troubleshooting?

That's a unique tracker ID. Each rule has one, look at pfctl -vvsr output.

Pippin · Jan 17, 2017, 8:47 AM

I would think that is a Unix time stamp, so yeah it`s unique ;)
1483693418 = Fri, 06 Jan 2017 09:03:38 GMT

kpa · Jan 17, 2017, 9:04 AM

@Pippin:

I would think that is a Unix time stamp, so yeah it`s unique ;)
1483693418 = Fri, 06 Jan 2017 09:03:38 GMT

This assuming you can't create two rules within one second :P Hopefully the rule creation system is aware of this…

guardian · Jan 17, 2017, 10:43 PM

Thanks very much everyone for the replies…. and special thank to doktornotor for look at pfctl -vvsr output.

That really helps a lot, I can clearly see what is going on.

I have IPv6 turned off, but this rule:

@5(1000000003) block drop in log quick inet6 all label "Block all IPv6"
[ Evaluations: 58461 Packets: 4893 Bytes: 1025925 States: 0 ]

is filling my log up with hundreds of lines of:
Jan 17 17:36:49 WAN Block all IPv6 (1000000003) [fe80::2fc:8dff:fe24:8b32] [ff02::1] ICMPv6

and it's above all the rules created by the GUI. Is there any way for me to get rid of these things?

KOM · Jan 18, 2017, 2:15 PM

Is there any way for me to get rid of these things?

Add or edit your IPv6 block rule and set it to not log.

guardian · Jan 18, 2017, 2:31 PM

@KOM:

Is there any way for me to get rid of these things?

Add or edit your IPv6 block rule and set it to not log.

Where would I edit this rule? It is auto generated by the firewall, and @5(1000000003) it is way up the chain above the user generated rules.

At least using pfctl -vvsr lets me see what is REALLY going on. I love the GUI, but sometimes there is nothing better than a good old fashioned terminal - as long as you know what to do with it (which can be a huge challenge).

doktornotor · Jan 18, 2017, 2:37 PM

Add your OWN rule there to block any IPv6 WITHOUT logging. ZOMG.

guardian · Jan 18, 2017, 2:45 PM

This question morphed, so as not to have two threads on the same topic…. I've answered here.

https://forum.pfsense.org/index.php?topic=124074.msg685263#msg685263

The key message of this thread for anyone is:

Use the shell and look at pfctl -vvsr output.

doktornotor · Jan 18, 2017, 7:53 PM

Yeah, the key answer to this thread is - add your own rule to block IPv6 as already told zillion times. Done. Move on. Nothing else. 1 minute. Done.