Firewall Logs

From pfSense Documentation
Jump to: navigation, search

The Firewall logs at Status > System Logs on the Firewall tab show all events logged by the firewall. By default, this includes connections blocked by the default deny rule.

How to Read the Logs

Each entry is displayed with the action ("pass" pass or "block" block, reject is only logged as block), time, interface, source, destination, and protocol.

The action icon depicts the action taken on the connection. "block" indicates a block action, "pass" indicates a pass action. Hover over the link for a text description if the meaning of the icon is not clear. Clicking on the action icon will produce a box that shows which rule caused the action. Using the Settings tab, these rule descriptions may also be shown in a separate column of the rules, or on a second line.

The "log" icon next to the source and destination addresses will run the IP address through the DNS Lookup page and attempt to resolve it into a hostname via DNS.

The "block+add" icon next to the source address will add a full block for traffic coming from that IP address via Easy Rule. The "pass+add" icon next to the destination address also invokes Easy Rule, and will add a pass rule for traffic of this protocol, going from the source IP address to the destination IP address on the destination port.

If the logged entry is from a TCP connection, the TCP flags may also be displayed. For more information, see What are TCP Flags?.

See also

Firewall Log Dynamic View

The dynamic firewall log view works like the normal Firewall Logs view except it is updated every few seconds using AJAX.

Firewall Log Summary View

The firewall log summary view produces pie charts which summarize the log data. Each item is listed with a chart and a table containing the top five entries in the chart, and "other".

Summarized data includes actions, interfaces, protocols, source IPs, destination IPs, source ports, and destination ports.

The full content of the log is used to summarize the data, not just the part displayed in the Firewall Logs view.

Disable Default Block Logging

To disable logging of blocked packets from the default deny rule, go to to Status > System Logs, Settings tab, then uncheck Log packets blocked by the default rule and Click Save.