Filtering on a sensor dedicated interface
Nicolas GRENECHE
nicolas.greneche at gmail.com
Tue May 10 17:13:12 UTC 2011
Hi,
We are currently experimenting a way of capturing packets of supposed
compromised hosts with PF.
So my question may seem to be a bit odd.
I have two interfaces em0 and em1 connected to a network TAP.
Running tcpdump on each show me dumped packets, no problems.
Those two interfaces are configured like this in rc.conf :
ifconfig_em0="promisc -arp up"
ifconfig_em1="promisc -arp up"
Loading rules :
sondedi# pfctl -f /etc/pf.conf.local
No ALTQ support in kernel
ALTQ related functions disabled
Showing rules :
sondedi# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
pass log on em0 inet from any to X.X.X.X no state
pass log on em1 inet from any to X.X.X.X no state
Now if i try to ssh to X.X.X.X, the pflog interface say nothing :
sondedi# tcpdump -netti pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
Rule doesn't seem to be matched.
But a tcpdump tells everything :
sondedi# tcpdump -netti em0 dst port 22 and dst host X.X.X.X
tcpdump: WARNING: em0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
SOME PACKETS ...
Regarding tcpdump, packets seems to go through the interface. Why does
pf doesn't see them ?
Regards,
More information about the freebsd-pf
mailing list