How to see logs for specific firewall rule?



  • When creating a firewall rule, there's a "Log packets that are handled by this rule" checkbox.

    How can I see the logs related to that particular firewall rule?

    Thanks.



  • Screenshot 2020-03-20 at 07.22.51.png



  • Thanks for your reply. I did end up finding that, and it's helpful, but it's not what I meant. It could be workable if there was a way to filter by rule, but I don't see this in the filter UI, unless I'm blind...?



  • Most people will forward the logs via syslog to a remote server, it would appear something like this:-

    182,,,1535801592,pppoe0,match,block,in,4,0xc,,249,64183,0,none,6,tcp,40,89.248.168.223,xx.xx.xx.xx,46407,62498,0,S,2950824445,,1024,,

    The bold text is the rule number.

    You could set the rules to display as raw logs then filter on the rule number, the only issue would be the logs aren't that readable if they're set to raw.



  • Thanks @NogBadTheBad.

    For anyone else that may find this post, if you SSH to your pfsense, you can find a particular rule being applied like this:

    clog /var/log/filter.log | grep 1535801592

    I also discovered that the default log size is a miniscule 500 KB and so it was wrapping around, in my case, every 3 minutes. This was the main reason even searching in the GUI using port numbers was not finding anything. I thought I was really misunderstanding how the thing worked.



  • @NogBadTheBad said in How to see logs for specific firewall rule?:

    Screenshot 2020-03-20 at 07.22.51.png

    Status > System Logs > Firewall > Normal View

    Your screen doesn't show the same settings as mine :

    10ea1ab4-5445-46fa-a7ea-6b043bbb7add-image.png

    Are you using the latest 2.4.4-p3 RC ?



  • I am:-

    2.4.4-RELEASE-p3 (amd64) built on Thu May 16 06:01:19 EDT 2019 FreeBSD 11.2-RELEASE-p10

    Screenshot 2020-03-24 at 08.49.25.png



  • Ok, thanks.
    That should explain the difference.
    I'm using the latest pfSense RC version 2.4.5.r.20200318.1500 which will probably be (very close to) two dot four dot five.

    edit : btw : rock solid - for my usage.


Log in to reply