Log tag
Bill Marquette
bill.marquette at gmail.com
Tue Apr 4 17:23:01 UTC 2006
On 4/4/06, husnu demir <hdemir at metu.edu.tr> wrote:
>
> On Tue, Apr 04, 2006 at 08:10:30AM -0500, Bill Marquette wrote:
> > On 4/4/06, Bill Marquette <bill.marquette at gmail.com> wrote:
> > > On 4/4/06, N. Ersen SISECI <siseci at gmail.com> wrote:
> > > >
> > > >
> > > > Hi,
> > > >
> > > > Is it possible to label the log entries?
> > > > We can do it in IPF with set-tag (log=48).
> > > > Is there a similiar method in PF?
> > > >
> > > >
> > > > IPF Rule:
> > > > pass in log first quick on bge0 proto tcp from any to 10.1.2.3 port = 22
> > > > flags S/SA keep state keep frags set-tag (log=110)
> > > >
> > > > IPF Log entry:
> > > > 04/04/2006 09:26:00.982095 bge0 @0:3 p 10.1.2.3,57221 ->
> > > > 192.168.90.12,22 PR tcp len 20 64 -S K-S K-F OUT log-tag 110
> > >
> > > The "label" keyword is what you want (and gives you a plain text
> > > description instead of number?!?!?! ouch).
> > >
> > > pass in log from foo to bar label "foo to bar rule"
> >
> > It's early...this was incorrect advice. The labels only show in pfctl
> > -sr, not in /dev/pflog0. I'm not sure if there's a way to make this
> > show up in /dev/pflog0.
>
>
> does "tcpdump -ttt -e -i pflog0 -n" show the rule number. so this may be used as label :) At least I get used that info extensively.
It does and can be used for correlation (in conjunction with pfctl
-sr)...up until the rules change :) But outside of (relatively easy)
scripting, the info isn't supplied in a single place.
--Bill
More information about the freebsd-pf
mailing list