Interpreting syslog messages
Just setup my pfs to send syslog to my box and was looking through the logs as they came in.
Noticed that I needed to add a 'match this frequently seen crap' rule so that it wasn't caught by the default block rule and logged…filling up a log file on the syslog server very quickly.
So, looking at an example log entry here:
Mar 29 20:37:20 firewall pf: 27. 201521 rule 256/0(match): block in on vr0: (tos 0x20, ttl 110, id 30189, offset 0, flags [none], proto UDP (17), length 131) 22.214.171.124.57326 > 126.96.36.199.52456: UDP, length 103
How do I interpret these parts?
- pf: 27. 201521
- rule 256/0(match)
This one entry is of particular interest since I think that it should have been caught by the crap rule and therefore not logged.
The crap rule just catches anything hitting the WAN from any source using UDP on ports 50000 to 60000. From what I can tell, this one matches the requirements. So I'm left wondering why it was sent to the syslog server. (this is NOT the only instance of this…this is just one example entry)
You'll be better served to look at this log entry in the webGUI using Diagnostics -> System Log -> Firewall. From there you can mouse over the "blocked" icon and it will tell you which of your firewall rules this block matched against.