pflog problem

Mike Tancsa mike at sentex.net
Wed Sep 12 11:21:37 PDT 2007 

On a box that got recently upgraded to current, I am having a problem 
reading from the pflog file.

Not sure what are the "unknown" bits are, but I cant match hosts.

e.g. here are the last few entries in /var/log/pflog

[zoo]# tcpdump -ner /var/log/pflog | tail -10
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
13:43:33.182398 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776712857 2692640929>
13:43:35.622474 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776713101 2692640929>
13:43:40.501939 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776713589 2692640929>
13:43:43.279628 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: . ack 1 win 5840 
<nop,nop,timestamp 2776713866 2692640929>
13:43:50.262294 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776714565 2692640929>
13:44:09.783308 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776716517 2692640929>
13:44:48.823375 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776720421 2692640929>
13:46:06.904224 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 
<nop,nop,timestamp 2776728229 2692640929>
13:50:29.020966 rule 7/0(match): block unkn(255) on rl0: 
207.231.228.166.31047 > 64.7.141.9.1026: UDP, length 365
13:52:25.229899 rule 7/0(match): block unkn(255) on rl0: 
64.7.128.102.55203 > 64.7.141.9.23: S 623064939:623064939(0) win 
65535 <mss 1460,nop,wscale 1,nop,nop,times


Should not the command

[zoo]# tcpdump -ner /var/log/pflog host 60.12.128.147
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
[zoo]#

match some of the above entries ?

I see the same issue on pflog0

[zoo]# tcpdump  -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
size 96 bytes
13:58:38.138472 rule 7/0(match): block unkn(255) on rl0: 
64.7.128.102.60319 > 64.7.141.9.23: [|tcp]
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel
[zoo]# tcpdump -nei pflog0 host 64.7.128.102
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
size 96 bytes


I should see entries on the second tcpdump of pflog0, but it too does 
not filter it correctly.

It is hitting the rule

block  in log on $ext_if all

         ---Mike


--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-pf mailing list