I have a "scrub all fragment reassemble" showing up on the first line of "pfctl -s rules". The rules are numbered from 0 (zero). Therefore I need to add 2 to the line number of the pfctl output to get the right rule.
The log entry Sep 04 21:45:56.156323 rule 8/(match) pass in on fxp0: xxx.xxx.xxx.xxx.39665 > yyy.yyy.yyy.yyy.22: S 224562907:224562907(0) win 5840 <mss 1460,nop,wscale 0> (DF) ...corresponds to # pfctl -s rules | sed -n '10p' pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state Andreas On 06/09/05, Stephan A. Rickauer <[EMAIL PROTECTED]> wrote: > My 'tcpdump -n -e -i pflog0' generates lines like these: > > 11:22:12.538707 rule 267/(match) block in on em0: 172.16.2.97.32790 > > 225.4.5.6.6001: udp 341 [ttl 1] > > I am now trying to find out, what 'rule 267' should be and found posts > regarding 'pfctl -s rules'. My problem is, that rule number 267 has > absolutely nothing to do with the line logged above. > > pfctl -s rules | sed -e '1,266d' -e '268,$d': > > pass out log quick inet proto tcp from 172.16.2.178 port >= 1023 to > <id431E1F62.2> port = 4899 keep state label "[RULE:18 - IF:global - > ACTION:ACCEPT]" > > I couldn't find any detailed information about how pflog numbers the > rules. Could anyone point me there? > > Thanks! > > > -- > > Stephan A. Rickauer > > ---------------------------- > Institut f|r Neuroinformatik > Universitdt / ETH Z|rich > Winterthurerstriasse 190 > CH-8057 Z|rich > > Tel: +41 44 635 30 50 > Sek: +41 44 635 30 52 > Fax: +41 44 635 30 53 > > http://www.ini.ethz.ch > ---------------------------- > > -- Andreas Kahari
