PfBlocker Alias log problems



  • Can anyone using pfBlocker who has it setup with Alias only and using rules (with logging packets checked in the rule) tell me if they see the Alias name in their logs when something is blocked with pfblocker? I found an IP in the block list, pinged it and it was blocked however looking in the logs I see things like this without the actual alias name that is associated with it.

    Can anyone verify that they DO see the Alias name that caused the blocked attempt? I have a few lists and it'd be hard to figure out what list is blocking something without a name (I do see "rule" numbers though). I've asked in the long pfBlocker thread and was directed here. I redid the rules, reinstalled pfblocker and am on the latest version.

    Wed May 07 17:32:33 2014: <134>May  7 17:33:14 pf:    192.168.1.10 > X.X.X.X: ICMP echo request, id 82934, seq 2, length 64
    Wed May 07 17:32:34 2014: <134>May  7 17:33:15 pf: 00:00:00.997994 rule 95/0(match): block in on em1: (tos 0x0, ttl 64, id 46074, offset 0, flags [DF], proto ICMP (1), length 84)

    Thanks


  • Moderator

    The firewall logs include Block/Reject/Pass alerts from pfBlocker and all of the other alerts by rules defined by pfSense default rules. All of the rules can be seen by using the following command:

    pfctl -s rules -vv

    This can be run from a Shell or Diagnostics:Command Prompt

    In system logs settings you can configure what get displayed in the firewall logs.

    Log packets blocked by the default rule
    Log packets blocked by 'Block Bogon Networks' rules
    Log packets blocked by 'Block Private Networks' rules



  • That rule was exactly what I needed, Thanks. Now I can match up rule number with the actual rule. One last thing though, looking in the log settings I have raw logging enabled, and most of the options enabled. Is there a way to have the logging show pfBlockerAliasName vs something like "Rule 50"? Or is that it?


  • Moderator

    @splmachine:

    That rule was exactly what I needed, Thanks. Now I can match up rule number with the actual rule. One last thing though, looking in the log settings I have raw logging enabled, and most of the options enabled. Is there a way to have the logging show pfBlockerAliasName vs something like "Rule 50"? Or is that it?

    Is Rule 50 one of the Default rules or a pfBlocker Rule?

    If its a Default rule it will just show the Rule Number.

    You would most likely leave these three off. Especially the first one as you will get a lot of noise.

    Log packets blocked by the default rule
      Log packets blocked by 'Block Bogon Networks' rules
      Log packets blocked by 'Block Private Networks' rules

    One thing to remember is that if you modify a Rule, it will change the Rule Names in the Firewall log (all will be mismatched).

    This will hopefully be fixed in 2.2