Firewall Logs with Unavailable Matched Rule and Empty Tracker ID

aarontry1

Since upgrading from version 2.7.2 to 2.8.0, I have occasionally been seeing deny logs where the matched rule is listed as "unavailable" and Tracker ID is empty. All of these log entries are for UDP traffic on the WAN interface. I have disabled logging for all default firewall rules in the Logging Preferences, and I can confirm these logs are not related to any recently deleted rules. Is this a bug? How do I fix this?

The rule detail shows the following:
Action: block
Reason: short
Tracker ID:
Matched Rule: unavailable

Here is a screenshot of the log view:

stephenw10

That happens if the rule is no longer present in the ruleset when the log page is displayed. So commonly for old logs if it was something dynamically created like a UPnP rule or a scheduled rule.

Those look like reply traffic though so it could just be an expired state and the ruleset changed since.

lcs

I have the same issue. It's always on WAN with rule (), destination protocol is UDP with no port. This is happening since the latest update to 2.8.0.
The firewall was rebooted multiple times.

johnpoz

@stephenw10 wasn't there another thread with these - notice the reason is short, I don't think those are blocked because of a specific rule - so not sure there is anything it can show for RID

stephenw10

Yup there was. It hit's that and doesn't match any rules because it's a short packet. So some invalid packets arriving at pf.

marchand.guy

@johnpoz said in Firewall Logs with Unavailable Matched Rule and Empty Tracker ID:

wasn't there another thread with these

Yes, it was me. Same situation (version and protocol).

johnpoz

@marchand.guy I am not up to speed on what the pf firewall pfsense uses does with "short" packets.. But logically if the packet is malformed in someway its not going to be able to do anything with it, etc.

I don't recall ever seeing such entries ever.. But maybe they are only logged when you log default deny or something, which I have off.. Or maybe just have never seen a "short"

But for sure its not a valid packet/fragment, or why would it be labeled "short".. I would assume most likely has to do with the scrubbing functionality.

marchand.guy

@johnpoz said in Firewall Logs with Unavailable Matched Rule and Empty Tracker ID:

But maybe they are only logged when you log default deny

I have it off also. It looks to me like this version, 2.8, did a nice job of wiping many bugs but, some others seam to be popping. Like any "new" version, I suppose.

johnpoz

@marchand.guy what we need is a better understanding of what pfsense actually means when it gives a reason of "short" - I assume it has to do with the scrubbing functionality..

Is something not working? You could try disable scrub to see if those log messages go away.

I don't recall ever seeing such a block ever.. Since that is udp to 443, I would assume a quic connection.. That IP is a china telecom IP..

inetnum:        101.224.0.0 - 101.231.255.255
netname:        CHINANET-SH
descr:          CHINANET SHANGHAI PROVINCE NETWORK
descr:          China Telecom

what is trying to talk to that IP? I would look in your state table to see what client is talking to that..

I don't see you ever connecting to the forums with a IPv4 address, only IPv6 and not a china telecom IPv6 address

marchand.guy

@johnpoz In cas this was not clear, the question is meant for @aarontry1