pf logging only no active filtering
Malte Graebner
mg at maltedoc.de
Thu Jun 15 20:22:07 UTC 2017
Don't get me wrong. I get your point.
I guess when using your method, I need to put in rule by rule, to test
each "pass" rule one on its own - okay no problem. But ... :D
I also need to test a mix of 300 nat/binat/rdr rules out of 10 networks.
So the pass quick rule can't help me, because the nat rules still
getting evaluated and filtered ( rule order ) or I'm wrong ?
I'm looking for something like pfctl -vv -n -f /etc/pf.conf for the pf
set which is logging against an "virtual" rule set, what will not take
any actions except logging the theoretical action to pflog.0 .
Am 15.06.2017 um 21:47 schrieb Mike Tancsa:
> On 6/15/2017 3:32 PM, Malte Graebner wrote:
>> using quick phrase has the side effect, that Im not able to see, if
>> there are any packets that would be blocked which shouldn't, because of
>> not eval the hole ruleset ( about 500 rules ).
> I am not sure I follow, can you rephrase/state the above ? Do you mean
> the quick pass rule is not being evaluated, even if its the very first
> rule ? perhaps illustrate the condition with a minimal set of pf rules?
>
> If you dont use the pass in {rdr|binat|nat} and make the quick line the
> first line, nothing should get evaluated after the quick pass.
> Also, I would always add 'log' to all the rules when debugging, so you
> see whats actually being hit. There should not be any mysteries that way.
>
> ---Mike
>
>
>
>
>> e.g. : multiple bi directional nat rules , doing not what I expect them
>> to do. Then I can fix the ruleset, without affecting the live
>> environment. But therefore I need to process the hole ruleset, to not
>> get unhandy suprises with some rules when going live.
>>
>>
>> Am 15.06.2017 um 21:18 schrieb Mike Tancsa:
>>> On 6/15/2017 2:21 PM, Malte Graebner wrote:
>>>> Hello folks,
>>>> is there an option, to only log all stuff going on via "log" command and
>>>> without taking any action to traffic flow itself ?
>>> Perhaps
>>>
>>> pass quick log <make it specific or general as you want>
>>>
>>> ... quick matches and then no longer evals the rules.
>>>
>>> ---Mike
>>>
>>>
>>
>
More information about the freebsd-pf
mailing list