pf logging only no active filtering
Mike Tancsa
mike at sentex.net
Thu Jun 15 19:47:23 UTC 2017
On 6/15/2017 3:32 PM, Malte Graebner wrote:
> using quick phrase has the side effect, that Im not able to see, if
> there are any packets that would be blocked which shouldn't, because of
> not eval the hole ruleset ( about 500 rules ).
I am not sure I follow, can you rephrase/state the above ? Do you mean
the quick pass rule is not being evaluated, even if its the very first
rule ? perhaps illustrate the condition with a minimal set of pf rules?
If you dont use the pass in {rdr|binat|nat} and make the quick line the
first line, nothing should get evaluated after the quick pass.
Also, I would always add 'log' to all the rules when debugging, so you
see whats actually being hit. There should not be any mysteries that way.
---Mike
>
> e.g. : multiple bi directional nat rules , doing not what I expect them
> to do. Then I can fix the ruleset, without affecting the live
> environment. But therefore I need to process the hole ruleset, to not
> get unhandy suprises with some rules when going live.
>
>
> Am 15.06.2017 um 21:18 schrieb Mike Tancsa:
>> On 6/15/2017 2:21 PM, Malte Graebner wrote:
>>> Hello folks,
>>> is there an option, to only log all stuff going on via "log" command and
>>> without taking any action to traffic flow itself ?
>> Perhaps
>>
>> pass quick log <make it specific or general as you want>
>>
>> ... quick matches and then no longer evals the rules.
>>
>> ---Mike
>>
>>
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-pf
mailing list