What does the '@' in '@184 blocks … ' mean in firewall system logs ?



  • Hi,

    I'm guessing it means one of the rules stated in the fw rules.
    But how do I know which one is which ? when it says something
    like that ? @xx

    I'm using pfsense v1.0

    Cheers,



  • Guess you are talking about the rawfilter logs. Have a look at /tmp/rules.debug (either diagnostics>edit file or diagnostics>command, download file) to see the rulefile that is generated by the webgui and loaded into the filter. Other option would be to switch to non raw filter logs and click the small icon in front of the line. It will tell you which rule triggered the event.

    Btw, you should upgrade to 1.0.1. 1.0 had a really annoying bug where rules sometimes were not reloaded.



  • If you add a description to your rules (as all good fw admins should) you will get the desc. displayed also. This is in non-raw mode…



  • @sai:

    If you add a description to your rules (as all good fw admins should) you will get the desc. displayed also. This is in non-raw mode…

    Hi, yes … that's what i thought ( good description for all )

    The exact msg that I'm getting is like the following :

    =======
    The rule that triggered this action :
    @188 block drop in log quick all label 'Default block all just to be sure'

    I thought I could find the rule that says the description in quote
    ( 'Default block all just to be sure' ) and work my way from there.
    But, I've checked all the firewall rules in all interfaces and couldn't
    find anything that has this description.

    By 'Default block', is there some sort of setting somewhere that might
    explain this ?

    Oh and btw, it's version 1.0.1 .. I mislooked at it.

    Thanks



  • The default block is the rule that is at the end of the firewallrules at all interfaces. If no other rule matches before reaching this rule it's getting dropped. Like I already said, have a look at /tmp/rules.debug if you want to debug raw filter logs.



  • Hello,

    I have the latest embedded version running on a Soekris box and when I am installing from port on my FreeBSD box I see in the firewall logs LAN pass actions which, from the IP and port numbers, I presume are ftp connections. I don't have logging set on the LAN side. Also, the block rules are commented e.g. @188 block drop in log quick all label 'Default block all just to be sure' however the pass rule pop-up displays the text "The rule that triggered this action is:" then nothing. I checked the file you mentioned "/tmp/rules.debug" however don't see anything I could recognise as logging LAN side ftp stuff.

    thanks



  • This is created by the ftp proxy which adds dynamically needed rules for ftp traffic. These rules do log by default.



  • The number is the line number which refers to the rule in /tmp/rules.debug.


Locked