selective logging of what pf is rejecting?
Huzeyfe Onal
huzeyfe.onal at gmail.com
Fri Sep 9 23:19:18 PDT 2005
Hi,
do you see the packets with tcpdump with -i $ext_if options?
#tcpdump -ttt -n -i rl0 icmp for icmp packets..
2005/9/9, bob self <bobself at charter.net>:
> Max Laier wrote:
>
> >On Friday 09 September 2005 21:17, Huzeyfe Onal wrote:
> >
> >
> >>hi,
> >>you can use tcpdump to watch pf action, why it drop or accept packets.
> >>
> >>try to use
> >>tcpdump -i pflog0 -e
> >>
> >>
> >
> >right.
> >
> >
> >
> >>ps: pflogd must be running... also read
> >>http://www.openbsd.com/faq/pf/logging.html
> >>
> >>
> >
> >wrong. pflogd just records the log data to disk, no need to watch the
> >livefeed.
> >
> >
> >
> >>2005/9/9, bob self <bobself at charter.net>:
> >>
> >>
> >>>My pf.conf file looks something like this
> >>>
> >>>block in all
> >>>block out all
> >>>pass quick on lo0 keep state
> >>>antispoof for $ext_if
> >>>
> >>>pass in on $ext_if from <goodguys> to any keep state
> >>>pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA
> >>>keep state label "www" #apache
> >>>block in on $ext_if from <badguys> to any
> >>>
> >>>pass out on $ext_if proto tcp from any to any flags S/SA keep state #
> >>>allow any tcp setup out
> >>>pass out on $ext_if proto udp all keep state # allow any
> >>>udp out
> >>>
> >>>pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state #
> >>>allow echo request in or out, (man pf.conf:1618)
> >>>
> >>>
> >>>Is there a way I can turn on (temporarily) logging of wht pf is not
> >>>allowing to come in? Also, is there a real-time tool that
> >>>will let you watch what pf if blocking from coming in?
> >>>
> >>>How could you just log what pf allows to get through?
> >>>
> >>>
> >
> >You can use pcap filters to get only info you are interested in. See
> >tcpdump(1)::ifname ff. ... the "action" filter might be of special interest
> >for your question.
> >
> >
> >
> I guess that my question is really where do I put the 'log' word(s) in
> pf.conf to be able to do this.
> I tried adding 'log' to everything in my pf.conf to see pinging from the
> outside and using tcpdump I don't see anything.
> I'm using tcpdump like this:
>
> tcpdump -l -n -e -ttt -i pflog0
>
>
>
--
Huzeyfe ÖNAL
---
First Turkish Qmail book is out! Go check it.
Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti.
http://www.acikakademi.com/catalog/qmail/
More information about the freebsd-pf
mailing list