PfSense logging source, destination and direction
-
Using pfSense version 2.3.4-RELEASE-p1, I have remote syslog enabled and sometimes I get entries where the destination is external somewhere on the internet but the direction is showing as "in", where my expectation is that it would show out.
Here is an example:
<134>Oct 26 12:19:19 filterlog: 5,16777216,,1000000103,hn1,match,block,in,4,0x0,,64,60937,0,DF,6,tcp,60,172.16.0.2,162.208.119.40,41265,443,0,S,876803581,,65228,,mss;nop;wscale;sackOK;TS
In the above case the source was 172.16.0.2 which is my internal IP.
The destination was 162.208.119.40 which is external.
But the direction was "in" ?
My question is how can that be possible if source is internal destination is external but direction "in" ?
-
I did a fresh install of version 2.4.1 and I still see the same thing, if anyone has an idea of what is going on I'd like to hear your thoughts.
-
What interface is hn1?
-
hn1 is the LAN with IP 172.16.0.1.
-
My question is how can that be possible if source is internal destination is external but direction "in" ?
Because that is from the perspective of the interface the traffic arrived on. So IN on LAN is traffic from LAN hosts. OUT on LAN is traffic from somewhere else going out the LAN interface.
-
That makes sense now that you say it, hmm, I suppose I can just ignore those as real "in" traffic as it is coming from the LAN network. Thanks for the clarification.