Actions
Bug #12872
closed
Firewall log tracker ID always returns "4294967295" regardless of rule triggered.
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
amd64
Description
The issue only showed up after upgrading from 2.5 to to 2.6.
The following is an example from the firewall log. Logs all show "4294967295" regardless of the rules that were triggered.
Feb 25 09:07:00 pfSense filterlog[37738]: 111,,,4294967295,re0,match,block,unkn(%u),4,0x0,,244,54210,0,none,6,tcp,44,92.63.197.94,72.235.242.139,58030,13335,0,S,428217694,,1024,,mss
Feb 25 09:07:00 pfSense filterlog[37738]: 4,,,4294967295,re0,match,block,unkn(%u),4,0x0,,119,16518,0,none,17,udp,108,66.91.123.239,72.235.242.139,61907,40000,88
Feb 25 09:07:00 pfSense filterlog[37738]: 111,,,4294967295,re0,match,block,unkn(%u),4,0x0,,244,54321,0,none,6,tcp,44,89.248.163.140,72.235.242.139,36182,8912,0,S,1728063168,,65535,,mss
Feb 25 09:07:00 pfSense filterlog[37738]: 6,,,4294967295,bridge0,match,block,unkn(%u),6,0x00,0xa2ffd,1,UDP,17,156,fe80::7a8a:20ff:fe29:6486,ff02::1,59236,10001,156
Feb 25 09:07:01 pfSense filterlog[37738]: 111,,,4294967295,re0,match,block,unkn(%u),4,0x0,,42,15590,0,DF,6,tcp,52,111.7.96.132,72.235.242.139,16614,6155,0,S,568232631,,65535,,mss;nop;wscale;nop;nop;sackOK
BBcan177 wrote on another thread: There are some users who are experiencing issues with pfSense recording the Tracker ID "4294967295" which according to conversations with Jim Pingle
"I'm not sure why that number would be in the log, but it's 2^32-1 so probably the variable is empty/uninitialized or being overrun (value is
higher than can be expressed in that size of a variable)."
Updated by Jim Pingle about 2 years ago
- Status changed from New to Incomplete
We still need more information here since we have not yet been able to reproduce this behavior. I've checked over 20 different systems and none have that kind of output in the log. In addition to having the wrong tracker ID, the direction is missing and listed as unkn(%u).
The data in the log being wrong is similar to symptoms we have seen in the past where a system did not fully complete the upgrade to the new version and was running a mismatched kernel and world (e.g. old kernel and new base, or new kernel and old base). Such as if the upgrade was interrupted partway.
We need to see a full generated ruleset as contained in /tmp/rules.debug along with the interpreted ruleset from pfctl -vvsr. Also it would help to see the output of uname -a and pkg info -x pfSense.
This site is not for support or diagnostic discussion, however. The best place to take this is the Netgate Forum until we can isolate the conditions which lead to this problem. Gather the requested information and start a new forum thread with it.
Updated by Julian Kahumana about 2 years ago
Sorry, I'm not familiar with the process. I was pointed here by BBcan177. I can move this all to the negate forum.
Thank you
/tmp/rules.debug
set limit table-entries 1400000
set optimization normal
set limit states 1613000
set limit src-nodes 1613000
#System aliases
loopback = "{ lo0 }"
WAN = "{ re0 }"
LAN = "{ bridge0 }"
OPT2 = "{ em2 }"
OPT3 = "{ em3 }"
OPENVPN = "{ ovpns1 }"
OpenVPN = "{ openvpn }"
#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6"
table <vpn_networks> { 192.168.142.0/24 }
table <negate_networks> { 192.168.142.0/24 }
# User Aliases
table <pfB_PRI1_v4> persist file "/var/db/aliastables/pfB_PRI1_v4.txt"
pfB_PRI1_v4 = "<pfB_PRI1_v4>"
table <pfB_PRI2_v4> persist file "/var/db/aliastables/pfB_PRI2_v4.txt"
pfB_PRI2_v4 = "<pfB_PRI2_v4>"
table <pfB_PRI4_v4> persist file "/var/db/aliastables/pfB_PRI4_v4.txt"
pfB_PRI4_v4 = "<pfB_PRI4_v4>"
table <pfB_SCANNERS_v4> persist file "/var/db/aliastables/pfB_SCANNERS_v4.txt"
pfB_SCANNERS_v4 = "<pfB_SCANNERS_v4>"
table <pfB_PRI3_v4> persist file "/var/db/aliastables/pfB_PRI3_v4.txt"
pfB_PRI3_v4 = "<pfB_PRI3_v4>"
table <pfB_DNSBLIP_v4> persist file "/var/db/aliastables/pfB_DNSBLIP_v4.txt"
pfB_DNSBLIP_v4 = "<pfB_DNSBLIP_v4>"
table <pfB_PRI1_6_v6> persist file "/var/db/aliastables/pfB_PRI1_6_v6.txt"
pfB_PRI1_6_v6 = "<pfB_PRI1_6_v6>"
pfB_DNSBL_Ports = "{ 80 443 }"
table <pfB_DNSBL_VIPs> { 10.10.10.1 ::10.10.10.1 }
pfB_DNSBL_VIPs = "<pfB_DNSBL_VIPs>"
# Gateways
GWWANGW = " route-to ( re0 72.235.242.129 ) "
GWOPENVPN_VPNV4 = " route-to ( ovpns1 192.168.142.1 ) "
set loginterface bridge0
set skip on pfsync0
set keepcounters
scrub on $WAN inet all fragment reassemble
scrub on $WAN inet6 all fragment reassemble
scrub on $LAN inet all fragment reassemble
scrub on $LAN inet6 all fragment reassemble
scrub on $OPT2 inet all fragment reassemble
scrub on $OPT2 inet6 all fragment reassemble
scrub on $OPT3 inet all fragment reassemble
scrub on $OPT3 inet6 all fragment reassemble
scrub on $OPENVPN inet all fragment reassemble
scrub on $OPENVPN inet6 all fragment reassemble
no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# Outbound NAT rules (automatic)
# Subnets to NAT
tonatsubnets = "{ 127.0.0.0/8 ::1/128 192.168.141.0/24 192.168.142.0/24 }"
nat on $WAN inet from $tonatsubnets to any port 500 -> 72.235.242.139/32 static-port
nat on $WAN inet6 from $tonatsubnets to any port 500 -> (re0) static-port
nat on $WAN inet from $tonatsubnets to any -> 72.235.242.139/32 port 1024:65535
nat on $WAN inet6 from $tonatsubnets to any -> (re0) port 1024:65535
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on re0 inet proto tcp from any to 72.235.242.139 port 9000 -> 192.168.141.168
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto tcp from any to 72.235.242.139 port 9000 -> 192.168.141.168
nat on bridge0 proto tcp from 192.168.141.0/24 to 192.168.141.168 port 9000 -> 192.168.141.1 port 1024:65535
rdr on re0 inet proto udp from any to 72.235.242.139 port 35001 -> 192.168.141.192
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto udp from any to 72.235.242.139 port 35001 -> 192.168.141.192
nat on bridge0 proto udp from 192.168.141.0/24 to 192.168.141.192 port 35001 -> 192.168.141.1 port 1024:65535
rdr on re0 inet proto tcp from any to 72.235.242.139 port 35000 -> 192.168.141.192
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto tcp from any to 72.235.242.139 port 35000 -> 192.168.141.192
nat on bridge0 proto tcp from 192.168.141.0/24 to 192.168.141.192 port 35000 -> 192.168.141.1 port 1024:65535
rdr on re0 inet proto tcp from any to 72.235.242.139 port 8888 -> 192.168.141.6
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto tcp from any to 72.235.242.139 port 8888 -> 192.168.141.6
nat on bridge0 proto tcp from 192.168.141.0/24 to 192.168.141.6 port 8888 -> 192.168.141.1 port 1024:65535
rdr on re0 inet proto udp from any to 72.235.242.139 port 500 -> 192.168.141.6
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto udp from any to 72.235.242.139 port 500 -> 192.168.141.6
nat on bridge0 proto udp from 192.168.141.0/24 to 192.168.141.6 port 500 -> 192.168.141.1 port 1024:65535
rdr on re0 inet proto udp from any to 72.235.242.139 port 4500 -> 192.168.141.6
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto udp from any to 72.235.242.139 port 4500 -> 192.168.141.6
nat on bridge0 proto udp from 192.168.141.0/24 to 192.168.141.6 port 4500 -> 192.168.141.1 port 1024:65535
rdr on re0 inet proto tcp from any to 72.235.242.139 port 80 -> 192.168.141.6
# Reflection redirect
rdr on { bridge0 em2 em3 openvpn } inet proto tcp from any to 72.235.242.139 port 80 -> 192.168.141.6
nat on bridge0 proto tcp from 192.168.141.0/24 to 192.168.141.6 port 80 -> 192.168.141.1 port 1024:65535
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "openvpn/*"
anchor "ipsec/*"
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"
block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"
block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6"
# IPv6 ICMP is not auxiliary, it is required for operation
# See man icmp6(4)
# 1 unreach Destination unreachable
# 2 toobig Packet too big
# 128 echoreq Echo service request
# 129 echorep Echo service reply
# 133 routersol Router solicitation
# 134 routeradv Router advertisement
# 135 neighbrsol Neighbor solicitation
# 136 neighbradv Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000114 label "Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000115 label "Block traffic to port 0"
block log quick inet6 proto { tcp, udp } from any port = 0 to any ridentifier 1000000116 label "Block traffic from port 0"
block log quick inet6 proto { tcp, udp } from any to any port = 0 ridentifier 1000000117 label "Block traffic to port 0"
# Snort package
block log quick from <snort2c> to any ridentifier 1000000118 label "Block snort2c hosts"
block log quick from any to <snort2c> ridentifier 1000000119 label "Block snort2c hosts"
# CARP rules
block in log quick proto carp from (self) to any ridentifier 1000000201
pass quick proto carp ridentifier 1000000202 no state
# SSH lockout
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard"
# webConfigurator lockout
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout"
block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table"
# block bogon networks (IPv4)
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any ridentifier 11001 label "block bogon IPv4 networks from WAN"
# block bogon networks (IPv6)
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogonsv6> to any ridentifier 11002 label "block bogon IPv6 networks from WAN"
antispoof log for $WAN ridentifier 1000001570
# block anything from private networks on interfaces with the option set
block in log quick on $WAN from 10.0.0.0/8 to any ridentifier 12001 label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any ridentifier 12002 label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any ridentifier 12003 label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any ridentifier 12004 label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any ridentifier 12005 label "Block ULA networks from WAN block fc00::/7"
antispoof log for $LAN ridentifier 1000002620
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000002641 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.141.1 port = 67 ridentifier 1000002642 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.141.1 port = 67 to any port = 68 ridentifier 1000002643 label "allow access to DHCP server"
antispoof log for $OPENVPN ridentifier 1000005770
# loopback
pass in on $loopback inet all ridentifier 1000006861 label "pass IPv4 loopback"
pass out on $loopback inet all ridentifier 1000006862 label "pass IPv4 loopback"
pass in on $loopback inet6 all ridentifier 1000006863 label "pass IPv6 loopback"
pass out on $loopback inet6 all ridentifier 1000006864 label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts ridentifier 1000006865 label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts ridentifier 1000006866 label "let out anything IPv6 from firewall host itself"
pass out route-to ( re0 72.235.242.129 ) from 72.235.242.139 to !72.235.242.128/25 ridentifier 1000006961 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( ovpns1 192.168.142.1 ) from 192.168.142.1 to !192.168.142.0/24 ridentifier 1000006962 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( ovpns1 ::ffff:192.168.142.2 ) inet6 from ::ffff:192.168.142.1 to !::ffff:192.168.142.1/64 ridentifier 1000006963 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on bridge0 proto tcp from any to (bridge0) port { 443 80 22 } ridentifier 10001 keep state label "anti-lockout rule"
# NAT Reflection rules
pass in inet tagged PFREFLECT ridentifier 1000007281 keep state label "NAT REFLECT: Allow traffic to localhost"
# User-defined rules follow
anchor "userrules/*"
pass quick on { bridge0 ovpns1 } inet proto icmp from any to $pfB_DNSBL_VIPs icmp-type echoreq ridentifier 1770001239 keep state label "USER_RULE: pfB_DNSBL_Ping auto rule"
pass quick on { bridge0 ovpns1 } inet6 proto ipv6-icmp from any to $pfB_DNSBL_VIPs icmp6-type echoreq ridentifier 1770001239 keep state label "USER_RULE: pfB_DNSBL_Ping auto rule"
pass quick on { bridge0 ovpns1 } inet proto { tcp udp } from any to $pfB_DNSBL_VIPs port $pfB_DNSBL_Ports ridentifier 1770001466 keep state label "USER_RULE: pfB_DNSBL_Permit auto rule"
pass quick on { bridge0 ovpns1 } inet6 proto { tcp udp } from any to $pfB_DNSBL_VIPs port $pfB_DNSBL_Ports ridentifier 1770001466 keep state label "USER_RULE: pfB_DNSBL_Permit auto rule"
block log quick on { re0 } inet from $pfB_PRI1_v4 to any ridentifier 1770009047 label "USER_RULE: pfB_PRI1_v4 auto rule"
block log quick on { re0 } inet from $pfB_PRI2_v4 to any ridentifier 1770009071 label "USER_RULE: pfB_PRI2_v4 auto rule"
block log quick on { re0 } inet from $pfB_PRI4_v4 to any ridentifier 1770009169 label "USER_RULE: pfB_PRI4_v4 auto rule"
block log quick on { re0 } inet from $pfB_SCANNERS_v4 to any ridentifier 1770009095 label "USER_RULE: pfB_SCANNERS_v4 auto rule"
block log quick on { re0 } inet from $pfB_PRI3_v4 to any ridentifier 1770009261 label "USER_RULE: pfB_PRI3_v4 auto rule"
block log quick on { re0 } inet from $pfB_DNSBLIP_v4 to any ridentifier 1770009014 label "USER_RULE: pfB_DNSBLIP_v4 auto rule"
block log quick on { re0 } inet6 from $pfB_PRI1_6_v6 to any ridentifier 1770009378 label "USER_RULE: pfB_PRI1_6_v6 auto rule"
block return log quick on { bridge0 ovpns1 } inet from any to $pfB_PRI1_v4 ridentifier 1770004529 label "USER_RULE: pfB_PRI1_v4 auto rule"
block return log quick on { bridge0 ovpns1 } inet from any to $pfB_PRI2_v4 ridentifier 1770004553 label "USER_RULE: pfB_PRI2_v4 auto rule"
block return log quick on { bridge0 ovpns1 } inet from any to $pfB_PRI4_v4 ridentifier 1770004651 label "USER_RULE: pfB_PRI4_v4 auto rule"
block return log quick on { bridge0 ovpns1 } inet from any to $pfB_SCANNERS_v4 ridentifier 1770004577 label "USER_RULE: pfB_SCANNERS_v4 auto rule"
block return log quick on { bridge0 ovpns1 } inet from any to $pfB_PRI3_v4 ridentifier 1770004743 label "USER_RULE: pfB_PRI3_v4 auto rule"
block return log quick on { bridge0 ovpns1 } inet from any to $pfB_DNSBLIP_v4 ridentifier 1770004496 label "USER_RULE: pfB_DNSBLIP_v4 auto rule"
block return log quick on { bridge0 ovpns1 } inet6 from any to $pfB_PRI1_6_v6 ridentifier 1770004860 label "USER_RULE: pfB_PRI1_6_v6 auto rule"
pass in quick on $OpenVPN inet from any to any ridentifier 1644648260 keep state label "USER_RULE: OpenVPN wizard"
pass in quick on $OpenVPN inet6 from any to any ridentifier 1644648260 keep state label "USER_RULE: OpenVPN wizard"
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto tcp from any to 192.168.141.6 port 8888 ridentifier 1644455047 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto tcp from any to 192.168.141.6 port 80 ridentifier 1644455086 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto tcp from any to 192.168.141.168 port 9000 ridentifier 1644455196 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto udp from any to 192.168.141.192 port 35001 ridentifier 1644455250 keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto tcp from any to 192.168.141.192 port 35000 ridentifier 1644455312 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto udp from any to 192.168.141.6 port 500 ridentifier 1644604136 keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto udp from any to 192.168.141.6 port 4500 ridentifier 1644604171 keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 72.235.242.129 ) inet proto udp from any to 72.235.242.139 port 1194 ridentifier 1644648259 keep state label "USER_RULE: OpenVPN wizard"
# destination address is empty. label "USER_RULE: OpenVPN wizard"
pass in quick on $LAN inet from 192.168.141.0/24 to any ridentifier 0100000101 keep state label "USER_RULE: Default allow LAN to any rule"
# source address is empty. label "USER_RULE: Default allow LAN IPv6 to any rule"
# array key "opt1" does not exist for "" in array: {WAN LAN OPT2 OPT3 OPENVPN OpenVPN } label "USER_RULE"
# array key "opt1" does not exist for "" in array: {WAN LAN OPT2 OPT3 OPENVPN OpenVPN } label "USER_RULE"
pass in quick on $OPT2 inet from any to any ridentifier 1644455365 keep state label "USER_RULE"
pass in quick on $OPT2 inet6 from any to any ridentifier 1644455365 keep state label "USER_RULE"
pass in quick on $OPT3 inet from any to any ridentifier 1644455388 keep state label "USER_RULE"
pass in quick on $OPT3 inet6 from any to any ridentifier 1644455388 keep state label "USER_RULE"
# array key "opt4" does not exist for "" in array: {WAN LAN OPT2 OPT3 OPENVPN OpenVPN } label "USER_RULE"
# array key "opt4" does not exist for "" in array: {WAN LAN OPT2 OPT3 OPENVPN OpenVPN } label "USER_RULE"
pass in quick on $OPENVPN reply-to ( ovpns1 192.168.142.1 ) inet from any to any ridentifier 1644730054 keep state label "USER_RULE"
pass in quick on $OPENVPN reply-to ( ovpns1 ::ffff:192.168.142.2 ) inet6 from any to any ridentifier 1644730054 keep state label "USER_RULE"
# VPN Rules
anchor "tftp-proxy/*"
anchor "miniupnpd"
pfctl -vvsr
@0(0) scrub on re0 inet all fragment reassemble [ Evaluations: 1246980530 Packets: 228187127 Bytes: 27103835388 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @1(0) scrub on re0 inet6 all fragment reassemble [ Evaluations: 2 Packets: 2 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @2(0) scrub on bridge0 inet all fragment reassemble [ Evaluations: 1018793402 Packets: 969844276 Bytes: 114386414553 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @3(0) scrub on bridge0 inet6 all fragment reassemble [ Evaluations: 18385978 Packets: 18385978 Bytes: 398424 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @4(0) scrub on em2 inet all fragment reassemble [ Evaluations: 30563150 Packets: 507524 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @5(0) scrub on em2 inet6 all fragment reassemble [ Evaluations: 323348 Packets: 323348 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @6(0) scrub on em3 inet all fragment reassemble [ Evaluations: 29732278 Packets: 3108065 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @7(0) scrub on em3 inet6 all fragment reassemble [ Evaluations: 2133695 Packets: 2133695 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @8(0) scrub on ovpns1 inet all fragment reassemble [ Evaluations: 24490518 Packets: 1544045 Bytes: 40566825 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @9(0) scrub on ovpns1 inet6 all fragment reassemble [ Evaluations: 289009 Packets: 289009 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @0(0) anchor "openvpn/*" all [ Evaluations: 10554790 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @1(0) anchor "ipsec/*" all [ Evaluations: 10554790 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @2(0) block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" ridentifier 1000000101 [ Evaluations: 10554790 Packets: 550 Bytes: 74457 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @3(0) block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" ridentifier 1000000102 [ Evaluations: 4457939 Packets: 4 Bytes: 5468 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @4(0) block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103 [ Evaluations: 4457935 Packets: 689748 Bytes: 60887061 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @5(0) block drop out log inet all label "Default deny rule IPv4" ridentifier 1000000104 [ Evaluations: 8751679 Packets: 16 Bytes: 6542 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @6(0) block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105 [ Evaluations: 10554236 Packets: 1192564 Bytes: 139242685 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @7(0) block drop out log inet6 all label "Default deny rule IPv6" ridentifier 1000000106 [ Evaluations: 6096301 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @8(0) pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state ridentifier 1000000107 [ Evaluations: 2307124 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @9(0) pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state ridentifier 1000000107 [ Evaluations: 77026 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @10(0) pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state ridentifier 1000000107 [ Evaluations: 77026 Packets: 1219805 Bytes: 87776776 States: 14 ] [ Inserted: pid 22649 State Creations: 7131 ] @11(0) pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state ridentifier 1000000107 [ Evaluations: 57712 Packets: 759962 Bytes: 54626824 States: 20 ] [ Inserted: pid 22649 State Creations: 5777 ] @12(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state ridentifier 1000000108 [ Evaluations: 42174 Packets: 2 Bytes: 176 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @13(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000108 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @14(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000108 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @15(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000108 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @16(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000108 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @17(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state ridentifier 1000000109 [ Evaluations: 10770 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @18(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000109 [ Evaluations: 10770 Packets: 4564 Bytes: 246584 States: 1 ] [ Inserted: pid 22649 State Creations: 847 ] @19(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000109 [ Evaluations: 8816 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @20(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000109 [ Evaluations: 8816 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @21(0) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000109 [ Evaluations: 8816 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @22(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000110 [ Evaluations: 40098 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @23(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000110 [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @24(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000110 [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @25(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000110 [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @26(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000110 [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @27(0) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000111 [ Evaluations: 540 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @28(0) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000111 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @29(0) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000111 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @30(0) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000111 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @31(0) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000111 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @32(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000112 [ Evaluations: 31282 Packets: 3 Bytes: 312 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @33(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000112 [ Evaluations: 30862 Packets: 13692 Bytes: 739752 States: 0 ] [ Inserted: pid 22649 State Creations: 849 ] @34(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000112 [ Evaluations: 28896 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @35(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000112 [ Evaluations: 28896 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @36(0) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000112 [ Evaluations: 28896 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @37(0) pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000113 [ Evaluations: 29313 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @38(0) pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state ridentifier 1000000113 [ Evaluations: 417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @39(0) pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000113 [ Evaluations: 417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @40(0) pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000113 [ Evaluations: 417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @41(0) pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000113 [ Evaluations: 417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @42(0) block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114 [ Evaluations: 10515462 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @43(0) block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114 [ Evaluations: 6681134 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @44(0) block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115 [ Evaluations: 8247112 Packets: 5 Bytes: 284 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @45(0) block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115 [ Evaluations: 6681134 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @46(0) block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116 [ Evaluations: 10515457 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @47(0) block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116 [ Evaluations: 2262718 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @48(0) block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117 [ Evaluations: 2268350 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @49(0) block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117 [ Evaluations: 2262718 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @50(0) block drop log quick from <snort2c:5> to any label "Block snort2c hosts" ridentifier 1000000118 [ Evaluations: 10515457 Packets: 607 Bytes: 30149 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @51(0) block drop log quick from any to <snort2c:5> label "Block snort2c hosts" ridentifier 1000000119 [ Evaluations: 10514850 Packets: 386 Bytes: 45671 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @52(0) block drop in log quick proto carp from (self:13) to any ridentifier 1000000201 [ Evaluations: 10514464 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @53(0) pass quick proto carp all no state ridentifier 1000000202 [ Evaluations: 4274369 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @54(0) block drop in log quick proto tcp from <sshguard:0> to (self:13) port = ssh label "sshguard" ridentifier 1000000301 [ Evaluations: 10514464 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @55(0) block drop in log quick proto tcp from <sshguard:0> to (self:13) port = https label "GUI Lockout" ridentifier 1000000351 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @56(0) block drop in log quick from <virusprot:0> to any label "virusprot overload table" ridentifier 1000000400 [ Evaluations: 6240095 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @57(0) block drop in log quick on re0 from <bogons:10> to any label "block bogon IPv4 networks from WAN" ridentifier 11001 [ Evaluations: 6240095 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @58(0) block drop in log quick on re0 from <bogonsv6:0> to any label "block bogon IPv6 networks from WAN" ridentifier 11002 [ Evaluations: 711301 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @59(0) block drop in log on ! re0 inet from 72.235.242.128/25 to any ridentifier 1000001570 [ Evaluations: 6240095 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @60(0) block drop in log inet from 72.235.242.139 to any ridentifier 1000001570 [ Evaluations: 4456938 Packets: 1 Bytes: 166 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @61(0) block drop in log on re0 inet6 from fe80::62a4:4cff:fe69:dae0 to any ridentifier 1000001570 [ Evaluations: 6240095 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @62(0) block drop in log quick on re0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" ridentifier 12001 [ Evaluations: 711301 Packets: 1 Bytes: 28 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @63(0) block drop in log quick on re0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" ridentifier 12002 [ Evaluations: 711300 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @64(0) block drop in log quick on re0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" ridentifier 12003 [ Evaluations: 711300 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @65(0) block drop in log quick on re0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" ridentifier 12004 [ Evaluations: 711300 Packets: 1 Bytes: 52 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @66(0) block drop in log quick on re0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" ridentifier 12005 [ Evaluations: 711299 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @67(0) block drop in log on ! bridge0 inet from 192.168.141.0/24 to any ridentifier 1000002620 [ Evaluations: 6240093 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @68(0) block drop in log inet from 192.168.141.1 to any ridentifier 1000002620 [ Evaluations: 5649778 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @69(0) pass in quick on bridge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002641 [ Evaluations: 4456936 Packets: 6720 Bytes: 2230584 States: 0 ] [ Inserted: pid 22649 State Creations: 239 ] @70(0) pass in quick on bridge0 inet proto udp from any port = bootpc to 192.168.141.1 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002642 [ Evaluations: 2720 Packets: 5611 Bytes: 1898267 States: 0 ] [ Inserted: pid 22649 State Creations: 921 ] @71(0) pass out quick on bridge0 inet proto udp from 192.168.141.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000002643 [ Evaluations: 6405874 Packets: 8 Bytes: 2624 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @72(0) block drop in log on ! ovpns1 inet6 from ::/64 to any ridentifier 1000005770 [ Evaluations: 10511206 Packets: 278 Bytes: 23328 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @73(0) block drop in log on ovpns1 inet6 from fe80::21b:21ff:fe42:f641 to any ridentifier 1000005770 [ Evaluations: 1783820 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @74(0) block drop in log inet6 from ::ffff:192.168.142.1 to any ridentifier 1000005770 [ Evaluations: 1783157 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @75(0) block drop in log on ! ovpns1 inet from 192.168.142.0/24 to any ridentifier 1000005770 [ Evaluations: 6236839 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @76(0) block drop in log inet from 192.168.142.1 to any ridentifier 1000005770 [ Evaluations: 4453682 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @77(0) pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000006861 [ Evaluations: 4453682 Packets: 2997132 Bytes: 897950986 States: 244 ] [ Inserted: pid 22649 State Creations: 288800] @78(0) pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000006862 [ Evaluations: 5046798 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @79(0) pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000006863 [ Evaluations: 3328070 Packets: 214 Bytes: 29879 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @80(0) pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000006864 [ Evaluations: 772532 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @81(0) pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000006865 [ Evaluations: 10511156 Packets: 99538182 Bytes: 18666042215 States: 573 ] [ Inserted: pid 22649 State Creations: 867759] @82(0) pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000006866 [ Evaluations: 4274367 Packets: 1677239 Bytes: 230758055 States: 79 ] [ Inserted: pid 22649 State Creations: 157765] @83(0) pass out route-to (re0 72.235.242.129) inet from 72.235.242.139 to ! 72.235.242.128/25 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000006961 [ Evaluations: 4274367 Packets: 123111071 Bytes: 41850417388 States: 1061 ] [ Inserted: pid 22649 State Creations: 572412] @84(0) pass out route-to (ovpns1 192.168.142.1) inet from 192.168.142.1 to ! 192.168.142.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000006962 [ Evaluations: 3788407 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @85(0) pass out route-to (ovpns1 ::ffff:192.168.142.2) inet6 from ::ffff:192.168.142.1 to ! ::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000006963 [ Evaluations: 4273570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @86(0) pass in quick on bridge0 proto tcp from any to (bridge0:1) port = https flags S/SA keep state label "anti-lockout rule" ridentifier 10001 [ Evaluations: 10511206 Packets: 648398 Bytes: 480856689 States: 1 ] [ Inserted: pid 22649 State Creations: 497 ] @87(0) pass in quick on bridge0 proto tcp from any to (bridge0:1) port = http flags S/SA keep state label "anti-lockout rule" ridentifier 10001 [ Evaluations: 39122 Packets: 10 Bytes: 805 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @88(0) pass in quick on bridge0 proto tcp from any to (bridge0:1) port = ssh flags S/SA keep state label "anti-lockout rule" ridentifier 10001 [ Evaluations: 39121 Packets: 1441 Bytes: 175027 States: 0 ] [ Inserted: pid 22649 State Creations: 1 ] @89(0) pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" ridentifier 1000007281 tagged PFREFLECT [ Evaluations: 8519988 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @90(0) anchor "userrules/*" all [ Evaluations: 10537914 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @91(0) pass quick on bridge0 inet proto icmp from any to <pfB_DNSBL_VIPs:2> icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping auto rule" ridentifier 1770001239 [ Evaluations: 10079764 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @92(0) pass quick on ovpns1 inet proto icmp from any to <pfB_DNSBL_VIPs:2> icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping auto rule" ridentifier 1770001239 [ Evaluations: 4358636 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @93(0) pass quick on bridge0 inet6 proto ipv6-icmp from any to <pfB_DNSBL_VIPs:2> icmp6-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping auto rule" ridentifier 1770001239 [ Evaluations: 10076593 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @94(0) pass quick on ovpns1 inet6 proto ipv6-icmp from any to <pfB_DNSBL_VIPs:2> icmp6-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping auto rule" ridentifier 1770001239 [ Evaluations: 4358636 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @95(0) pass quick on bridge0 inet proto tcp from any to <pfB_DNSBL_VIPs:2> port = http flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 10480375 Packets: 4521 Bytes: 534995 States: 0 ] [ Inserted: pid 22649 State Creations: 216 ] @96(0) pass quick on bridge0 inet proto tcp from any to <pfB_DNSBL_VIPs:2> port = https flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 114953 Packets: 1628676 Bytes: 338204593 States: 0 ] [ Inserted: pid 22649 State Creations: 60279 ] @97(0) pass quick on bridge0 inet proto udp from any to <pfB_DNSBL_VIPs:2> port = http keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 3404583 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @98(0) pass quick on bridge0 inet proto udp from any to <pfB_DNSBL_VIPs:2> port = https keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 641 Packets: 926 Bytes: 1083381 States: 0 ] [ Inserted: pid 22649 State Creations: 172 ] @99(0) pass quick on ovpns1 inet proto tcp from any to <pfB_DNSBL_VIPs:2> port = http flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 4368842 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @100(0) pass quick on ovpns1 inet proto tcp from any to <pfB_DNSBL_VIPs:2> port = https flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @101(0) pass quick on ovpns1 inet proto udp from any to <pfB_DNSBL_VIPs:2> port = http keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 36 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @102(0) pass quick on ovpns1 inet proto udp from any to <pfB_DNSBL_VIPs:2> port = https keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @103(0) pass quick on bridge0 inet6 proto tcp from any to <pfB_DNSBL_VIPs:2> port = http flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 6019251 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @104(0) pass quick on bridge0 inet6 proto tcp from any to <pfB_DNSBL_VIPs:2> port = https flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @105(0) pass quick on bridge0 inet6 proto udp from any to <pfB_DNSBL_VIPs:2> port = http keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 1645535 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @106(0) pass quick on bridge0 inet6 proto udp from any to <pfB_DNSBL_VIPs:2> port = https keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @107(0) pass quick on ovpns1 inet6 proto tcp from any to <pfB_DNSBL_VIPs:2> port = http flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 4359536 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @108(0) pass quick on ovpns1 inet6 proto tcp from any to <pfB_DNSBL_VIPs:2> port = https flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @109(0) pass quick on ovpns1 inet6 proto udp from any to <pfB_DNSBL_VIPs:2> port = http keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @110(0) pass quick on ovpns1 inet6 proto udp from any to <pfB_DNSBL_VIPs:2> port = https keep state label "USER_RULE: pfB_DNSBL_Permit auto rule" ridentifier 1770001466 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @111(0) block drop log quick on re0 inet from <pfB_PRI1_v4:16786> to any label "USER_RULE: pfB_PRI1_v4 auto rule" ridentifier 1770009047 [ Evaluations: 9770953 Packets: 29264 Bytes: 1420477 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @112(0) block drop log quick on re0 inet from <pfB_PRI2_v4:602> to any label "USER_RULE: pfB_PRI2_v4 auto rule" ridentifier 1770009071 [ Evaluations: 2818647 Packets: 60 Bytes: 3256 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @113(0) block drop log quick on re0 inet from <pfB_PRI4_v4:7327> to any label "USER_RULE: pfB_PRI4_v4 auto rule" ridentifier 1770009169 [ Evaluations: 2195318 Packets: 585 Bytes: 27783 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @114(0) block drop log quick on re0 inet from <pfB_SCANNERS_v4:1406> to any label "USER_RULE: pfB_SCANNERS_v4 auto rule" ridentifier 1770009095 [ Evaluations: 2194733 Packets: 659 Bytes: 33929 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @115(0) block drop log quick on re0 inet from <pfB_PRI3_v4:5471> to any label "USER_RULE: pfB_PRI3_v4 auto rule" ridentifier 1770009261 [ Evaluations: 2194074 Packets: 421 Bytes: 20478 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @116(0) block drop log quick on re0 inet from <pfB_DNSBLIP_v4:3625> to any label "USER_RULE: pfB_DNSBLIP_v4 auto rule" ridentifier 1770009014 [ Evaluations: 2193653 Packets: 14 Bytes: 720 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @117(0) block drop log quick on re0 inet6 from <pfB_PRI1_6_v6:79> to any label "USER_RULE: pfB_PRI1_6_v6 auto rule" ridentifier 1770009378 [ Evaluations: 2193640 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @118(0) block return log quick on bridge0 inet from any to <pfB_PRI1_v4:16786> label "USER_RULE: pfB_PRI1_v4 auto rule" ridentifier 1770004529 [ Evaluations: 10363794 Packets: 1095 Bytes: 59168 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @119(0) block return log quick on ovpns1 inet from any to <pfB_PRI1_v4:16786> label "USER_RULE: pfB_PRI1_v4 auto rule" ridentifier 1770004529 [ Evaluations: 4327634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @120(0) block return log quick on bridge0 inet from any to <pfB_PRI2_v4:602> label "USER_RULE: pfB_PRI2_v4 auto rule" ridentifier 1770004553 [ Evaluations: 8684716 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @121(0) block return log quick on ovpns1 inet from any to <pfB_PRI2_v4:602> label "USER_RULE: pfB_PRI2_v4 auto rule" ridentifier 1770004553 [ Evaluations: 4327629 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @122(0) block return log quick on bridge0 inet from any to <pfB_PRI4_v4:7327> label "USER_RULE: pfB_PRI4_v4 auto rule" ridentifier 1770004651 [ Evaluations: 8684716 Packets: 116 Bytes: 6104 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @123(0) block return log quick on ovpns1 inet from any to <pfB_PRI4_v4:7327> label "USER_RULE: pfB_PRI4_v4 auto rule" ridentifier 1770004651 [ Evaluations: 4327629 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @124(0) block return log quick on bridge0 inet from any to <pfB_SCANNERS_v4:1406> label "USER_RULE: pfB_SCANNERS_v4 auto rule" ridentifier 1770004577 [ Evaluations: 8684600 Packets: 75 Bytes: 3900 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @125(0) block return log quick on ovpns1 inet from any to <pfB_SCANNERS_v4:1406> label "USER_RULE: pfB_SCANNERS_v4 auto rule" ridentifier 1770004577 [ Evaluations: 4327629 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @126(0) block return log quick on bridge0 inet from any to <pfB_PRI3_v4:5471> label "USER_RULE: pfB_PRI3_v4 auto rule" ridentifier 1770004743 [ Evaluations: 8684525 Packets: 15 Bytes: 780 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @127(0) block return log quick on ovpns1 inet from any to <pfB_PRI3_v4:5471> label "USER_RULE: pfB_PRI3_v4 auto rule" ridentifier 1770004743 [ Evaluations: 4327629 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @128(0) block return log quick on bridge0 inet from any to <pfB_DNSBLIP_v4:3625> label "USER_RULE: pfB_DNSBLIP_v4 auto rule" ridentifier 1770004496 [ Evaluations: 8684510 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @129(0) block return log quick on ovpns1 inet from any to <pfB_DNSBLIP_v4:3625> label "USER_RULE: pfB_DNSBLIP_v4 auto rule" ridentifier 1770004496 [ Evaluations: 4327629 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @130(0) block return log quick on bridge0 inet6 from any to <pfB_PRI1_6_v6:79> label "USER_RULE: pfB_PRI1_6_v6 auto rule" ridentifier 1770004860 [ Evaluations: 10362493 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @131(0) block return log quick on ovpns1 inet6 from any to <pfB_PRI1_6_v6:79> label "USER_RULE: pfB_PRI1_6_v6 auto rule" ridentifier 1770004860 [ Evaluations: 4327634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @132(0) pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN wizard" ridentifier 1644648260 [ Evaluations: 10362493 Packets: 1110791 Bytes: 629329137 States: 2 ] [ Inserted: pid 22649 State Creations: 63 ] @133(0) pass in quick on openvpn inet6 all flags S/SA keep state label "USER_RULE: OpenVPN wizard" ridentifier 1644648260 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @134(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto tcp from any to 192.168.141.6 port = 8888 flags S/SA keep state label "USER_RULE: NAT " ridentifier 1644455047 [ Evaluations: 10361830 Packets: 13195641 Bytes: 2286233292 States: 7 ] [ Inserted: pid 22649 State Creations: 71 ] @135(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto tcp from any to 192.168.141.6 port = http flags S/SA keep state label "USER_RULE: NAT " ridentifier 1644455086 [ Evaluations: 11407 Packets: 1800441 Bytes: 1997118266 States: 7 ] [ Inserted: pid 22649 State Creations: 6111 ] @136(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto tcp from any to 192.168.141.168 port = 9000 flags S/SA keep state label "USER_RULE: NAT " ridentifier 1644455196 [ Evaluations: 33849 Packets: 69 Bytes: 5192 States: 0 ] [ Inserted: pid 22649 State Creations: 4 ] @137(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto udp from any to 192.168.141.192 port = 35001 keep state label "USER_RULE: NAT " ridentifier 1644455250 [ Evaluations: 668709 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @138(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto tcp from any to 192.168.141.192 port = 35000 flags S/SA keep state label "USER_RULE: NAT " ridentifier 1644455312 [ Evaluations: 34087 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @139(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto udp from any to 192.168.141.6 port = isakmp keep state label "USER_RULE: NAT " ridentifier 1644604136 [ Evaluations: 668709 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @140(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto udp from any to 192.168.141.6 port = sae-urn keep state label "USER_RULE: NAT " ridentifier 1644604171 [ Evaluations: 1 Packets: 1 Bytes: 424 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @141(0) pass in quick on re0 reply-to (re0 72.235.242.129) inet proto udp from any to 72.235.242.139 port = openvpn keep state label "USER_RULE: OpenVPN wizard" ridentifier 1644648259 [ Evaluations: 634621 Packets: 1191422 Bytes: 705012623 States: 1 ] [ Inserted: pid 22649 State Creations: 6 ] @142(0) pass in quick on bridge0 inet from 192.168.141.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" ridentifier 100000101 [ Evaluations: 8838787 Packets: 208512363 Bytes: 54806913177 States: 1338 ] [ Inserted: pid 22649 State Creations: 1083286] @143(0) pass in quick on em2 inet all flags S/SA keep state label "USER_RULE" ridentifier 1644455365 [ Evaluations: 2824993 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 4 ] @144(0) pass in quick on em2 inet6 all flags S/SA keep state label "USER_RULE" ridentifier 1644455365 [ Evaluations: 1286921 Packets: 301664 Bytes: 57366951 States: 18 ] [ Inserted: pid 22649 State Creations: 31198 ] @145(0) pass in quick on em3 inet all flags S/SA keep state label "USER_RULE" ridentifier 1644455388 [ Evaluations: 3923741 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @146(0) pass in quick on em3 inet6 all flags S/SA keep state label "USER_RULE" ridentifier 1644455388 [ Evaluations: 496186 Packets: 5319607 Bytes: 697875659 States: 10 ] [ Inserted: pid 22649 State Creations: 161832] @147(0) pass in quick on ovpns1 reply-to (ovpns1 192.168.142.1) inet all flags S/SA keep state label "USER_RULE" ridentifier 1644730054 [ Evaluations: 3427299 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @148(0) pass in quick on ovpns1 reply-to (ovpns1 ::ffff:192.168.142.2) inet6 all flags S/SA keep state label "USER_RULE" ridentifier 1644730054 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @149(0) anchor "tftp-proxy/*" all [ Evaluations: 9184656 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ] @150(0) anchor "miniupnpd" all [ Evaluations: 9184656 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 22649 State Creations: 0 ]
pkg info -x pfSense
pfSense-2.5.2 pfSense-Status_Monitoring-1.7.11_3 pfSense-base-2.6.0 pfSense-default-config-2.6.0 pfSense-kernel-pfSense-2.6.0 pfSense-pkg-Shellcmd-1.0.5_2 pfSense-pkg-Status_Traffic_Totals-2.3.2_2 pfSense-pkg-System_Patches-1.2_7 pfSense-pkg-arping-1.2.2_2 pfSense-pkg-arpwatch-0.2.0_6 pfSense-pkg-bandwidthd-0.7.4_5 pfSense-pkg-nmap-1.4.4_2 pfSense-pkg-ntopng-0.8.13_10 pfSense-pkg-openvpn-client-export-1.6_4 pfSense-pkg-pfBlockerNG-devel-3.1.0_1 pfSense-pkg-suricata-6.0.4_1 pfSense-rc-2.6.0 pfSense-repo-2.6.0 pfSense-upgrade-1.0_12 php74-pfSense-module-0.72
Updated by Jim Pingle about 2 years ago
- Status changed from Incomplete to Not a Bug
From that pkg output I'm fairly certain your system was interrupted mid-upgrade and is not running a consistent state. Note that it has entries for items from both pfSense 2.5.2 and 2.6.0. The easiest resolution would be to take a backup and reinstall. Alternately you could force a reinstall of all packages using pkg upgrade -fy followed by a reboot, but that may not be as reliable.
Updated by Julian Kahumana about 2 years ago
The pkg upgrade and restart resolved the issue.
Thank you
Actions