Firewall Debugging - Step Through
-
Hi,
Is there any way to trace or "step through" as packets traversing through the firewall rules for debugging purposes? For instance if I have 5 firewall rules for traffic going from LAN1 to LAN2 and I wanted to watch the traffic going through each of the rules to see how the firewall dispositioned each rule for those packets (ie, pass, block, reject, etc).Thank you.
-
Technically : yes.
Practically : no.You'll be needing a debug version of the kernel, for starters. As you will be tracing the instructions that handle the data, so you can see what filtering is really about.
What about making each firewall rule log ? The log file will be huge, of course.
-
In addition to what @Gertjan noted, many folks who are new to firewalls don't understand that in the default behavior not all rules are evaluated for a packet. The packet is compared to rules starting with the very first rule in the list. The first rule encountered that matches on a packet results in that rule executing, either blocking or passing the packet, and then nothing else happens to that packet. It is not evaulated against the other rules. The first matching rule wins.
The only exception to the above is Floating Rules which can have a "match" option for tagging packets. In that case, the packet is compared to each Floating Rule, and the "last match" wins. More details on Floating Rules is in the documentation here: https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html.
