How to know which rule a syslog entry is referring to?

jobsoft

I know this is probably written down somewhere, and, I realize it is probably a FreeBSD-level thing, but, how can I pinpoint which rule an entry in syslog from pfsense/pf is referring to:

Feb  3 11:32:49 fastgate pf: 000277 rule 880/0(match): block in on xl2:

Ie, how can I know what "880/0" is referring to?

Thanks,

Mark

hoba

Either use the webgui to view status>systemlogs, firewall. Clicking the icon in front of the line will tell you which rule caused the block including description of the rule. If you need to remotely resolve syslogs to the appropriate rule you need a copy of /tmp/rules.debug from the time the logging took place. You can grab it at either at diagnostics>command and download it or view it at diagnostics>edit file. As pfSense regenerates the rules.debug on changes or when needed (e.g. WAN IP changes, loadbalancer status changes, …) it might not make sense checking an old logged event against a new rules.debug.

jobsoft

I follow you on the dynamic nature of /tmp/rules.debug, but, assuming the current pfsense "instance" (when the current /tmp/rules.debug is in play), what (and/or what line) in /tmp/rules.debug is "880/0" pointing/referring to so that I, knowing only "880/0", would know the rule "880/0" is referencing???  I assume that "880/0" must mean something or it would not be in the log entry.

jobsoft

I am going to answer my own query!  :-)

I found this info elsewhere and thought it may be useful here.

There are a couple of ways.  Both ways are from the FreeBSD shell prompt.

pfctl -vvs rules

will generate a list to STDOUT

pftop -v rules

is an interactive (PgUp/PgDown) way of scrolling through the same set.

I would be useful (I think) to incorporate this under Diagnostics in the future as it can be real handy to be able to correlate precisely what rule in the raw logging output a particular match occurred on.  I do syslog to another syslog server.

FWIW

Mark

@jobsoft:

I follow you on the dynamic nature of /tmp/rules.debug, but, assuming the current pfsense "instance" (when the current /tmp/rules.debug is in play), what (and/or what line) in /tmp/rules.debug is "880/0" pointing/referring to so that I, knowing only "880/0", would know the rule "880/0" is referencing???  I assume that "880/0" must mean something or it would not be in the log entry.

jobsoft

One additional mod to the pfctl form:

If you want to quickly pull out a single rule:

pfctl -vvs rules | grep "^@ <rulenum>"</rulenum>

Where is the rule number you are seeking.  The space before my closing double quote was on purpose to terminate the pattern so that ONLY the rule number being sought is returned.  Otherwise, the above might also match some other rule number that started off with the rule number you are seeking.  Ie, '77' and '77x' (x = 0 thru 9) would all match.