Was Re: PF bugs now PF reporting utility

Sun Jun 23 00:56:33 UTC 2013

On 23 Jun 2013, at 00:55, Nikos Vassiliadis <nvass at gmx.com> wrote:

> On 06/22/2013 10:41 PM, Stan Gammons wrote:
>> On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote:
>>> It seems that people think that pf is unmaintained.
>>> Quite a disheartening thing for the person that did the hard work
>>> to create the smp-friendly pf in FreeBSD-10...
>> 
>> My apologies Nikos for thinking PF is not maintained.
> 
> I didn't want to make anybody apologize.
> 
> I just wanted to add that pf in freebsd is not bad or inferior
> compared to the newer pf in openbsd. To some people the performance
> gain by smp-pf might be considered more useful than pf.conf
> compatibility between different OSes. Other people might need
> rdomains and all the other things the freebsd version doesn't have...
> 
> Things are just different for quite a while now and they are growing
> even more differently. The fork happened for a reason or perhaps for
> a lot of reasons.
> 

On topic, Gleb has put a lot of work on PF in -CURRENT which, iirc, made a handful of open PRs irrelevant.

>> I was hoping others here could point me to a sysutil that generates
>> reports for PF like Lire does for IPFilter and etc.  I had started work
>> on modifying one of the existing Lire dlf converters that would would
>> work with a PF log file that had been first processed through tcpdump.
>> But, I couldn't figure out the format tcpdump uses, so I haven't made
>> much progress.  Can someone here help with the format tcpdump uses on
>> FreeBSD or point me in the right direction?
> 
> Unfortunately there is no support for pf in lire. OTOH it looks
> simple enough to hack a custom filter in awk maybe? (sorry i possess
> no perl powers)
> 
>> root at lab:/var/log # tcpdump -nlttttei pflog0 | awk '{ if ($5 == "block") $5 = "b"; print $1,$2,"hostname","PID", $2,$4,$5,$8,$9,$11 }'
>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
>> 2013-06-23 01:12:24.210634 hostname PID 01:12:24.210634 0..16777216/0(match): b bridge0: 192.168.65.1.60491 192.168.65.11.23:
>> 2013-06-23 01:12:28.016297 hostname PID 01:12:28.016297 0..16777216/0(match): b bridge0: 192.168.65.1.40719 192.168.65.12.23:
>> 2013-06-23 01:12:53.307795 hostname PID 01:12:53.307795 0..16777216/0(match): b bridge0: 192.168.65.13.11451 192.168.65.11.23:
>> 2013-06-23 01:12:55.781513 hostname PID 01:12:55.781513 0..16777216/0(match): b bridge0: 192.168.65.13.62921 192.168.65.12.23:
> 
> The output format I did here is not correct but with a bit of work
> you could come up with something that looks like a IPFilter log.
> 
> HTH, Nikos
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"