Relating Error Message back to the GUI

guardian

Can someone please tell me… if I see something like this in the firewall logs

Jan 14 02:53:13 LAN Default Block (1483693418) 192.168.1.10:33732 127.0.0.1:8443 TCP:S

What does the number (1483693418)  mean?

Can I used the shell to look in some file that will give me a hint as to what is causing the item to be blocked?

Any suggestions would me much appreciated.

KOM

The hint is that it's the default block on LAN.  Normally LAN has no rules other than an Allow Any for All which gives full access from LAN.  Have you modified the default LAN rules?

guardian

Thanks…. that makes sense... got it figured out.

What does the number (1483693418) refer to? 
Is it useful for troubleshooting?

doktornotor

@guardian:

What does the number (1483693418) refer to? 
Is it useful for troubleshooting?

That's a unique tracker ID. Each rule has one, look at pfctl -vvsr output.

Pippin

I would think that is a Unix time stamp, so yeah it`s unique ;)
1483693418 = Fri, 06 Jan 2017 09:03:38 GMT

kpa

@Pippin:

I would think that is a Unix time stamp, so yeah it`s unique ;)
1483693418 = Fri, 06 Jan 2017 09:03:38 GMT

This assuming you can't create two rules within one second :P Hopefully the rule creation system is aware of this…

guardian

Thanks very much everyone for the replies…. and special thank to doktornotor for look at pfctl -vvsr output.

That really helps a lot, I can clearly see what is going on.

I have IPv6 turned off, but this rule:

@5(1000000003) block drop in log quick inet6 all label "Block all IPv6"
  [ Evaluations: 58461    Packets: 4893      Bytes: 1025925    States: 0    ]

is filling my log up with hundreds of lines of:
Jan 17 17:36:49 WAN Block all IPv6 (1000000003) [fe80::2fc:8dff:fe24:8b32] [ff02::1] ICMPv6

and it's above all the rules created by the GUI.  Is there any way for me to get rid of these things?

KOM

Is there any way for me to get rid of these things?

Add or edit your IPv6 block rule and set it to not log.

guardian

@KOM:

Is there any way for me to get rid of these things?

Add or edit your IPv6 block rule and set it to not log.

Where would I edit this rule?  It is auto generated by the firewall, and @5(1000000003) it is way up the chain above the user generated rules.

At least using pfctl -vvsr lets me see what is REALLY going on.  I love the GUI, but sometimes there is nothing better than a good old fashioned terminal - as long as you know what to do with it (which can be a huge challenge).

doktornotor

Add your OWN rule there to block any IPv6 WITHOUT logging. ZOMG.

guardian

This question morphed, so as not to have two threads on the same topic…. I've answered here.

https://forum.pfsense.org/index.php?topic=124074.msg685263#msg685263

The key message of this thread for anyone is:

Use the shell and look at pfctl -vvsr output.

doktornotor

Yeah, the key answer to this thread is - add your own rule to block IPv6 as already told zillion times. Done. Move on. Nothing else. 1 minute. Done.