Rule name in filter.log



  • Hi all

    Is it possible to get the rule name which is blocking a connection.

    Have a look at this filter.log entry:

    
    Dec 29 01:20:17 x13 pf: 00:00:02.930278 rule 41/0(match): block in on vr2: (tos 0x0, ttl 106, id 22828, offset 0, flags [DF], proto TCP (6), length 48)
    Dec 29 01:20:17 x13 pf:     61.38.162.67.4668 > X.X.X.X.445: Flags [s], cksum 0xdb45 (correct), seq 2986860058, win 65535, options [mss 1460,nop,nop,sackOK], length 0
    
    As you can see, rule 41/0 matched. How can I show the name of the rule (to identify it)?
    
    Thanks in advance
    mki[/s]
    

  • Rebel Alliance

    Try with:

    
    pfctl -vvsr
    
    


  • I am sending my filter logs to a syslog server. Is it possible to have the rule name in the log entries?


  • Rebel Alliance Developer Netgate

    No. There is no way to embed that information in the logs directly. The rule number is all you can get, and because that can potentially change periodically, it can be tough to nail down exactly. There are many discussions about this around the forum, search a bit and you'll find them.


Locked