Firewall rule numbers in syslog?
-
Is there a way by looking at this log to tell which rule has allowed the packet to pass? Can this be referenced? rule 53/0(match): I know I can find it since I allowed port 21 to 10.10.0.14 but I was hoping there might be an easy way to reference the rules by looking at the syslog and pinpointing which rule either allowed or blocked traffic.
2008-04-28 22:04:43 Local0.Info 10.10.0.1 Apr 28 22:04:42 pf: 20. 480571 rule 53/0(match): pass in on em0: (tos 0x0, ttl 47, id 50838, offset 0, flags [DF], proto: TCP (6), length: 64) (From IP).51474 > 10.10.0.14.21: S 2638049757:2638049757(0) win 65228 <mss 1460,nop,wscale="" 0,[|tcp]="">Thanks
Mark</mss>
-
Klick the pass/block/reject icon in front of the log entry at status>systemlogs, firewall. It will tell you exactly what rule triggered that action. Another option is to download or look at /tmp/rules.debug (diagnostics>edit file or diagnostics>command, download).
-
Thanks Hoba,
Easy to see in the gui but if I am looking at the syslog and I try to find Rule 53 in the rules.debug, there is no way to easily pinpoint which rule is allowing this to pass through.
Thanks,
Mark