I am not a sysadmin or a network administrator (I am a software developer). Working on a project I have to understand more in details the meaning of a log obtained from a pfSense instance.
I am using these documentation links in order to better undersatnd the meaning of these log entries:
- https://docs.netgate.com/pfsense/en/latest/monitoring/logs/firewall.html
- https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html
I am obtaining entries like this (related to an UDP request):
Jun 2 11:00:11 filterlog: 5,,,1000000103,vtnet0,match,block,in,4,0x0,,54,36357,0,DF,17,udp,196,62.77.36.6,10.0.0.2,500,500,176
I put the content of this entry on multiple lines trying to comment the meaning of each single field:
Jun 2 11:00:11 (DATE-TIMESTAMP)
filterlog: 5,,, (What 5 mean? Why is it followed by 3 "," character? are empty fields?)
1000000103 (THIS SHOULD BE THE DEFAULT BLOCKING RULE),
vtnet0 (ON THE vtnet0 INTERFACE),
match, (REASON OF LOG ENTRY)
block, (ACTION TAKEN: block or pass)
in, (TRAFFIC DIRECTION: in or out)
4, (IP VERSION: 4 for IPv4 or 6 for IPv6)
0x0,, (???)
54, (???)
36357, (???)
0, (???)
DF, (???)
17, (???)
udp, (PROTOCOL, IN THIS CASE IT WAS AN UDP REQUEST)
196, (???)
62.77.36.6, (SOURCE IP ???)
10.0.0.2, (DESTINATION IP ???)
500, (SOURCE PORT???)
500, (DESTINATION ???)
176 (???)
I marked with ??? where I have no idea of the field meaning. In particular I have a lot of doubt on an important info related the source and the destination port (I think that it is 500 but I am absolutly not sure and this is an important info for me).
Can you help me to better understand these fields meaning?
