Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    assist in finding matching rule

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 384 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Cant believe im just needing help with this but i assume this is a basic oversight on my behalf.

      I have a large rule base for an interface and im debugging a policy routing issue. I dont see my traffic matching a security rule and most of the rules are not logging.
      Is there a way to see in the GUI which rule a flow is currently matching? If so, how?

      Secondly, is there a way to nest aliases into each other.
      For example i have a port alias called 'Web Ports' which contains various port numbers.
      I have a seperate alias that i would like to nest inside 'Web Ports' but when i do that a traffic flow doesnt matter. Is this possible?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @michmoor
        last edited by

        @michmoor said in assist in finding matching rule:

        Secondly, is there a way to nest aliases into each other.

        This Nesting Aliases ?

        @michmoor said in assist in finding matching rule:

        Is there a way to see in the GUI which rule a flow is currently matching? If so, how?

        Real time ?
        That already difficult to do on the command line (IMHO).

        This works :
        1d33eecc-658a-4482-a620-7ad9537e05f0-image.png

        to see some info.
        Next-best : I packet capture.
        Or I make a rule log, and tail the firewall log file, using grep to show up only the interaction of the rule I'm interested.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @Gertjan
          last edited by

          @Gertjan I just need to know which rule is matching. Connectivity is working.
          Large portion of the rule base isn't set to log so i was wondering if there was some alternate way to see which flows are being matched by which security rule.

          Nesting aliases is pretty common actually. If i have multiple alias's there are times when there is a need to combine all those aliases under one. Just curious of pfsense can perform this function.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @michmoor
            last edited by

            @michmoor
            You seen the console (ssh !!) option 9 : pfTop ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @Gertjan
              last edited by

              @Gertjan pftop doesnt show which rule is matching for a flow., It only shows active connections.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by stephenw10

                If there is a state open you can see which rule number opened that state and then look at the rule list to find out what that is.

                That's something I would usually do at the CLI though.

                For example:

                [admin@5100.stevew.lan]/tmp: pfctl -vss | grep -A 2 8.8.8.8
pppoe0 icmp 86.191.93.126:11757 -> 8.8.8.8:8       0:0
   age 00:01:48, expires in 00:00:10, 108:108 pkts, 9072:9072 bytes, rule 89, allow-opts
pppoe0 udp 127.0.0.1:30721 -> 202.12.27.33:53       SINGLE:NO_TRAFFIC
[admin@5100.stevew.lan]/tmp: pfctl -vvsr | grep '@89 '
@89 pass out inet all flags S/SA keep state (if-bound) allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000012025
                M 1 Reply Last reply Reply Quote 1
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by

                  @stephenw10 copy that. thanks.
                  Probably would be low on the priority list but is this something that could be implemented in the GUI?

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by stephenw10

                    You can sort of do it using the pftop state and rules views but you don't get the rule description (label). The label view doesn't really help.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.