Date: Wed, 14 Nov 2007 21:38:06 +0200 From: Tobias Ernst <tobi@casino.uni-stuttgart.de> To: freebsd-pf@freebsd.org Subject: Re: How to prevent FS overflow due to excessive logging? Message-ID: <473B4E9E.2040004@casino.uni-stuttgart.de> In-Reply-To: <20071114173359.GO6168@verio.net> References: <473B2006.8050000@casino.uni-stuttgart.de> <20071114173359.GO6168@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
David DeSimone schrieb: >> I do not want to disable UDP logging generally - after all I want to be >> told when things like this happen. > If you put "keep state" on your drop+log rule, PF will only log the > first packet that gets dropped, which reduces logging considerably. I thought about this, but block in log from any to any keep state gives me pf.conf:266: keep state on block rules doesn't make sense and the rule is skipped (6.2, maybe this has changed in 7?). > However, you will not be alerted to the fact that millions of packets > are being sent, in this scenario, so you would have to detect that via > other means. That's not a problem. By the way, these turned out to be harmless multicast packets from a remote software installation process that should have been silently dropped, but I had the wrong netmask (/24 instead of /4) in my "multicast silent drop" rule. Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?473B4E9E.2040004>