black arrow in the logs in interface column



  • Hi guys,
    hopefully someone can explain to me what I'm seeing in my logs. Please see the added picture for topology explanation.
    topology.jpeg
    For example:
    I have a rule on every interface to allow ICMP. For easy implementation I have an allow any rule on the bottom which is logging at the moment. When I ping now from the 172.16.1.0/24 subnet to the 192.168.10.0/24 subnet the ping works. But it is logged by the allow any rule and a black arrow is added to the outbound interface name. The source in the logs is an IP of the 172.16.1.0/24 and the destination an IP of the 192.168.10.0/24.
    I found out that all packet which have this black sign are either TCP:SEC, UDP/161 and ICMP.
    I do not understand what pfsense means with TCP:SEC, and I could not find it in any documentation. UDP/161 is for SNMP which is correct because in the 172.16.1.0/24 a SNMP server is located to monitor some IoT devices, and ICMP of course is ping.

    But what does the black arrow mean?
    Why the ping hits the allow any rule in the bottom and not the ICMP rule on the top (no floating rules, because I know floating is last match wins)
    I'm a little concerned what happens when I delete the allow any rule.

    Thanks for your help in advance.


Log in to reply