Find a rule match
Let say you think a port is filtered by IP but it’s not. You have a somewhere a rule to open for your taste. How to find it ?
First establish a connection from a given IP:
test-host ~ $ nc -v 91.216.209.157 21Then on the firewall list state connection from this IP:
fw5:~# pfctl -vvv -ss | grep -A3 78.192.224.148
all tcp 91.216.209.157:21 <- 78.192.224.148:56272 ESTABLISHED:ESTABLISHED
[899608849 + 29200] wscale 7 [1508798648 + 5889] wscale 4
age 00:00:41, expires in 04:59:19, 3:2 pkts, 164:164 bytes, rule 72
id: 5565c647ffd1505e creatorid: 410e4752
The matched rule has the number 72.
Find a rule by its number
When doing a tcpdump on the pflog interface, matches are displayed using a number. To find the corresponding rule list them all and filter them:
fw3:~# pfctl -sr -g | grep '@72'Purge a 'stuck' rule
When a relayd failover goes wrong, you can find yourself with a 'stuck' anchor rule. To list them all:
fw3:~# pfctl -a relayd/* -s rulesFind the outdated rule, then remove it manually:
fw3:~# pfctl -a relayd/foobar_https -F rules