How to see which firewall rule is allowing traffic

Hi all,

Is there a way to tell which firewall filter rule is allowing certain traffic to pass, other than adding a unique log prefix to every single rule, running a ping, and then checking the logs?

I am currently able to ping VPN clients from my main VLAN, which IS the behavior I want, but the firewall filter rule that I created to allow that behavior has zero hits on its packet counter. One of the rules higher up must be allowing the traffic to pass, and I can’t figure out which one.

Interestingly, if I set up traceroute with the same source and destination IP as the real world ping, traceroute times out with 100% packet loss. But if I run torch on the interface and then perform the actual ping, I can see the traffic.

Any thoughts on how to best see the interaction with the firewall rules?

Thanks

You have the byte counters per rule and the log. That all there is to see if a rule is matched!

Between the first “accept” rule and the last “drop all” you will need to refine the rules to capture/identify the traffic you are searching…
What you can do is put “drop all” route up to the first line, then nothing should pass.
You move that rule down by one, do the test again. If traffic passes, the rule before the drop rule is the one you are searching for…