Log entry question
I wrote something to parse the firewall logs that are saved to my syslog server. I am in the process of going through the logs, hopefully on a regular basis. One type of entry I have question on. The entries are from the 'LAN' interface that the action is 'pass' and the direction of traffic is 'in'. The source IP addresses are machines on my internal network and the destination IPs are external to my network. I would think IN traffic on the LAN interface would have the destination IPs of the machines on my internal network instead of the source IPs. Is this response traffic from the machines on my internal network already sent out? I went through the Filter_Log_Format_for_pfSense_2.2 page to get the fields, but it didn't do anything for understanding how to interpret the data. Any ideas?
The direction of traffic is from the perspective of the firewall itself. You seem to have that backwards. It's leaving your LAN but that does not make it outbound from the firewall to the LAN, it's inbound from the LAN to the firewall.
For example, traffic leaving local systems going to the Internet comes IN to the firewall on the LAN interface and exits OUT of the firewall on the WAN interface.