2

I have the following excerpt from pfctl -vvss command:

re2 icmp 10.10.0.62:1 <- 192.168.10.56:1 0:0 age 00:08:30, expires in 00:00:05, 192:7 pkts, 14400:584 bytes, rule 117 id: 010000005ab2fc3e creatorid: 6261d0b3 re0 icmp 95.84.128.151:47326 (192.168.10.56:1) -> 10.10.0.62:47326 0:0 age 00:08:30, expires in 00:00:05, 377:4 pkts, 28188:416 bytes, rule 94 id: 010000005ab2fc3f creatorid: 6261d0b3

I think this is undesired behaviour and rules 117 and 94 are incorrect. How to find these rules and fin where did they came from?

What is creatorid?

Improve this question

2 Answers 2

Reset to default
0 
pfctl -s rules -vv

will output something like:

@71 pass out quick on igb1.100 inet from 209.51.186.0/26 to 192.168.0.0/23 no state [ Evaluations: 1064257 Packets: 354523 Bytes: 149293726 States: 0 ] [ Inserted: uid 0 pid 1053 State Creations: 0 ]

The @71 is the rule number

Improve this answer
0

To see where a rule comes from you can inspect the rules that are created when the configuration file is loaded

# pfctl -vv -n -f /etc/pf.conf

-vv increases the verbosity to also show the rule numbers at the beginning of each rule
-n prevents pf from actually loading the rules
-f gives the file from which the rules shall be generated

To me it has proven beneficial to compare this output to the actual content of the configuration file (maybe side by side)

# cat /etc/pf.conf
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.