Firewall rule numbers in syslog?

kapara · Apr 29, 2008, 9:49 AM

Is there a way by looking at this log to tell which rule has allowed the packet to pass? Can this be referenced? rule 53/0(match): I know I can find it since I allowed port 21 to 10.10.0.14 but I was hoping there might be an easy way to reference the rules by looking at the syslog and pinpointing which rule either allowed or blocked traffic.

2008-04-28 22:04:43 Local0.Info 10.10.0.1 Apr 28 22:04:42 pf: 20. 480571 rule 53/0(match): pass in on em0: (tos 0x0, ttl 47, id 50838, offset 0, flags [DF], proto: TCP (6), length: 64) (From IP).51474 > 10.10.0.14.21: S 2638049757:2638049757(0) win 65228 <mss 1460,nop,wscale="" 0,[|tcp]="">Thanks

Mark</mss>

hoba · Apr 29, 2008, 8:49 PM

Klick the pass/block/reject icon in front of the log entry at status>systemlogs, firewall. It will tell you exactly what rule triggered that action. Another option is to download or look at /tmp/rules.debug (diagnostics>edit file or diagnostics>command, download).

kapara · Apr 30, 2008, 5:51 AM

Thanks Hoba,

Easy to see in the gui but if I am looking at the syslog and I try to find Rule 53 in the rules.debug, there is no way to easily pinpoint which rule is allowing this to pass through.

Thanks,

Mark