pf log with keep state
Karol Kornatka
karol at kornatka.pl
Fri Nov 7 19:11:23 UTC 2014
Hello freebsd firewallers.
I'm newbie with freebsd so please forgive me if i'm writeing funny things :)
I have preaty big network (arround 2000 hosts) having connection threw
freebsd router.
Router is working on Dell poweredge r320 and freebsd 10.
As firewall obviously pf with arround 50000 pf state current entries and
200Mbitps traffic.
I need to pass and log forwarded traffic
For now i'm using ruleset like this:
pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from
<clients-ds02> to any port $ds02_tcp_forward_services flags S/S keep state
pass in quick on $ds02_int_if proto tcp from <clients-ds02> to any port
$ds02_tcp_forward_services keep state
pass in quick on $ds02_int_if proto udp from <clients-ds02> to any port
$ds02_udp_forward_services keep state
pass in quick on $ds02_int_if proto icmp from <clients-ds02> to any keep
state
I thought that the first line should log for me only SYN packets and pass it
second - pass rest tcp no log
third - pass udp no log
fourth - pass icmp no log
Logs are killing hdd space (4x1TB in raid10)- i'm rotating pflog files
every hour and i have summary arround 10G per hour - 3G after gzip
What i'm doing wrong ? firewall is logging all tcp traffic with all
flags ...
By the way - how to get real connection time from my logs ?
00:00:00.000158 rule 97..16777216/0(match): pass in on vlan4010:
10.210.4.14.62886 > 184.28.17.235.443: Flags [.], ack 1371, win 16425,
length 0
Thanks for answers in advance.
Karol
More information about the freebsd-pf
mailing list