How to interpret firewall log
-
Hi, I am sending pfsense firewall log to a remote syslog server ( Kiwi Syslog Server ).
Pfsense is blocking remote desktop sessions and I cannot figure out which is the blocking rule.
The firewall log shows the next lines:
Apr 23 21:44:15 pf: 172.16.1.14.55284 > 192.168.1.3.3389: Flags ~~, cksum 0x1f44 (correct), seq 1925015941, win 8192, options [mss 1352,nop,wscale 2,nop,nop,sackOK], length 0
2015-04-23 21:49:50 Local0.Info 192.168.1.254 Apr 23 21:44:15 pf: 00:00:00.023383 rule 3/0(match): block in on rl0: (hlim 1, next-header UDP (17) payload length: 34) fe80::ad2c:f2ad:1d32:1661.59299 > ff02::1:3.5355: [udp sum ok] UDP, length 26
2015-04-23 21:49:50 Local0.Info 192.168.1.254 Apr 23 21:44:15 pf: 00:00:00.000022 rule 3/0(match): block in on rl1: (hlim 1, next-header UDP (17) payload length: 34) fe80::ad2c:f2ad:1d32:1661.59299 > ff02::1:3.5355: [udp sum ok] UDP, length 26
2015-04-23 21:49:50 Local0.Info 192.168.1.254 Apr 23 21:44:15 pf: 00:00:00.000102 rule 99/0(match): pass in on rl0: (tos 0x0, ttl 1, id 18698, offset 0, flags [none], proto UDP (17), length 54).As you can see rule 3/0 is blocking packets in interfaces rl1 and rl0.
Which is the relationship between rule 3/0 and those definied in pfsense´s firewall rules GUI?
Here attached is the screen capture image of the rules. Remote desktop traffic would be allowed from 172.16.1.0 to LAN interface.
Can help me to identify which is the GUI rule associated to rule 3/0 ?
Thanks in advance.
~~ -
What interface are those rules on? And can we see the full set of rules. And screenshot of your firewall log vs that text would be much easier to read.