Packet Filter alerting system.
Tim Hogan
tim at hoganzoo.com
Thu Sep 17 19:30:27 UTC 2009
Tom Uffner wrote:
> Gaurav Ghimire wrote:
>> Just curious to know if we have something, some alerting system or
>> mechanism that provides the administrator with the daily reports that
>> pf itself or some other
>> tool collects on pf's behalf.
>>
>> That probably reports the admin of:
>> ~ Total connection counts matched on each rulesets.
>> ~ Total number of counts matched on deny rules.
>
> /etc/periodic/security/520.pfdenied
>
> it should be enabled by default if you haven't done anything unnatural to
> the /etc/periodic system
>
> > ~ IP/Port attack logs and relatives.
>
> only if you specify "log" in one or more of your pf rules, in which
> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
> /var/log/pf.{today,yesterday}
>
> tom
>
Not sure if this will help but I have added the following line to
/etc/periodic/security/520.pfdenied
pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0
} $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root
This will produce something like the following for each rule that you have;
pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port =
syslog keep state
[ Evaluations: 560355 Packets: 46 Bytes: 4058 States:
0 ]
The down side is that the numbers will increment from the last time PF
was restarted, not from the previous day.
Regards,
Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3772 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090917/1410a6ad/smime.bin
More information about the freebsd-pf
mailing list