Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    black arrow in the logs in interface column

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 115 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m90
      last edited by

      Hi guys,
      hopefully someone can explain to me what I'm seeing in my logs. Please see the added picture for topology explanation.
      topology.jpeg
      For example:
      I have a rule on every interface to allow ICMP. For easy implementation I have an allow any rule on the bottom which is logging at the moment. When I ping now from the 172.16.1.0/24 subnet to the 192.168.10.0/24 subnet the ping works. But it is logged by the allow any rule and a black arrow is added to the outbound interface name. The source in the logs is an IP of the 172.16.1.0/24 and the destination an IP of the 192.168.10.0/24.
      I found out that all packet which have this black sign are either TCP:SEC, UDP/161 and ICMP.
      I do not understand what pfsense means with TCP:SEC, and I could not find it in any documentation. UDP/161 is for SNMP which is correct because in the 172.16.1.0/24 a SNMP server is located to monitor some IoT devices, and ICMP of course is ping.

      But what does the black arrow mean?
      Why the ping hits the allow any rule in the bottom and not the ICMP rule on the top (no floating rules, because I know floating is last match wins)
      I'm a little concerned what happens when I delete the allow any rule.

      Thanks for your help in advance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.