On Tue, Feb 13, 2024 at 08:29:59AM +0000, jonathon575 wrote: > Kindly find below log entries generated from tcpdump of the pflog. The is a > fresh install & updated openbsd 7.4, with bare-minimum installation > configured for a firewall. There are no x* programs installed. > > Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xdd6a56bc > Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x963acc89 > Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x93d9508d > Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x112cf65b > Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x639ed21a > Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 > Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x8ae84cca > Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xcbb881b7 > Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x612a28f8 > Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x49f595ec > > wan-ip is my wan static ip address. > > What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means?
These log entries mean that your system blocked attempts from 69.166.225.73 access to whatever wan-ip is. Your system recognized the traffic as attempts to initiate a WireGuard (a sort of vpn, see https://man.openbsd.org/wg and links therein). The attempts were blocked. The rest of your questions can be answered relatively easily by familiarizing yourself with the tools at hand, such as the tcpdump you have already encountered. Do read up on how syslog classfies messages and how to report which levels and so forth. Some of the things you mention may require specialized tools, but please invest some time in learning to properly interpret the output of the basic tools first. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
