Purpose of tracker on pfsense config rules

  • Hi,

    I sometimes manually edit pfsense xml config files directly as it is much quicker than doing so via GUI. I noticed that new config file rules have something called tracker, which is essentially a unix time stamp. Where is this used, does it have to be unique, does it determine rule order?

    The nat rules have something called associated-rule-id which is just a php uniqid and it has to match the associated the rules, so it's obvious what that does.


  • It's put into the ruleset for log identification purposes. Only the rule number as configured in the running ruleset was logged by pf previously, and that isn't a static number. So if you made significant enough changes to your rules and/or NAT, then go to the firewall log, it'd tell you the wrong rule or be unable to find a matching rule.

    Check the code in /etc/inc/filter.inc to ensure you're properly generating that for rules. There's a function there you could use or adapt.

Log in to reply