Firewall rule numbers in syslog?



  • Is there a way by looking at this log to tell which rule has allowed the packet to pass?  Can this be referenced?  rule 53/0(match):  I know I can find it since I allowed port 21 to 10.10.0.14 but I was hoping there might be an easy way to reference the rules by looking at the syslog and pinpointing which rule either allowed or blocked traffic.

    2008-04-28 22:04:43 Local0.Info 10.10.0.1 Apr 28 22:04:42 pf: 20. 480571 rule 53/0(match): pass in on em0: (tos 0x0, ttl  47, id 50838, offset 0, flags [DF], proto: TCP (6), length: 64) (From IP).51474 > 10.10.0.14.21: S 2638049757:2638049757(0) win 65228 <mss 1460,nop,wscale="" 0,[|tcp]="">Thanks

    Mark</mss>



  • Klick the pass/block/reject icon in front of the log entry at status>systemlogs, firewall. It will tell you exactly what rule triggered that action. Another option is to download or look at /tmp/rules.debug (diagnostics>edit file or diagnostics>command, download).



  • Thanks Hoba,

    Easy to see in the gui but if I am looking at the syslog and I try to find Rule 53 in the rules.debug, there is no way to easily pinpoint which rule is allowing this to pass through.

    Thanks,

    Mark


Locked