Date: Sun, 23 Jun 2013 02:55:21 +0200 From: Damien Fleuriot <ml@my.gd> To: Nikos Vassiliadis <nvass@gmx.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Was Re: PF bugs now PF reporting utility Message-ID: <09D1DC3A-9F02-488D-AFA8-9C9E3EF79D7E@my.gd> In-Reply-To: <51C62B44.1030902@gmx.com> References: <1371865788.22524.9.camel@localhost> <CAOmxWMXfKyr5gjQUpqqraTVaLJ3XOFNK7P040FPOCSaMGigXdA@mail.gmail.com> <51C5F242.1010608@gmx.com> <1371933661.1707.7.camel@localhost> <51C62B44.1030902@gmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Jun 2013, at 00:55, Nikos Vassiliadis <nvass@gmx.com> wrote:
> On 06/22/2013 10:41 PM, Stan Gammons wrote:
>> On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote:
>>> It seems that people think that pf is unmaintained.
>>> Quite a disheartening thing for the person that did the hard work
>>> to create the smp-friendly pf in FreeBSD-10...
>>=20
>> My apologies Nikos for thinking PF is not maintained.
>=20
> I didn't want to make anybody apologize.
>=20
> I just wanted to add that pf in freebsd is not bad or inferior
> compared to the newer pf in openbsd. To some people the performance
> gain by smp-pf might be considered more useful than pf.conf
> compatibility between different OSes. Other people might need
> rdomains and all the other things the freebsd version doesn't have...
>=20
> Things are just different for quite a while now and they are growing
> even more differently. The fork happened for a reason or perhaps for
> a lot of reasons.
>=20
On topic, Gleb has put a lot of work on PF in -CURRENT which, iirc, made a h=
andful of open PRs irrelevant.
>> I was hoping others here could point me to a sysutil that generates
>> reports for PF like Lire does for IPFilter and etc. I had started work
>> on modifying one of the existing Lire dlf converters that would would
>> work with a PF log file that had been first processed through tcpdump.
>> But, I couldn't figure out the format tcpdump uses, so I haven't made
>> much progress. Can someone here help with the format tcpdump uses on
>> FreeBSD or point me in the right direction?
>=20
> Unfortunately there is no support for pf in lire. OTOH it looks
> simple enough to hack a custom filter in awk maybe? (sorry i possess
> no perl powers)
>=20
>> root@lab:/var/log # tcpdump -nlttttei pflog0 | awk '{ if ($5 =3D=3D "bloc=
k") $5 =3D "b"; print $1,$2,"hostname","PID", $2,$4,$5,$8,$9,$11 }'
>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decod=
e
>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 6=
5535 bytes
>> 2013-06-23 01:12:24.210634 hostname PID 01:12:24.210634 0..16777216/0(mat=
ch): b bridge0: 192.168.65.1.60491 192.168.65.11.23:
>> 2013-06-23 01:12:28.016297 hostname PID 01:12:28.016297 0..16777216/0(mat=
ch): b bridge0: 192.168.65.1.40719 192.168.65.12.23:
>> 2013-06-23 01:12:53.307795 hostname PID 01:12:53.307795 0..16777216/0(mat=
ch): b bridge0: 192.168.65.13.11451 192.168.65.11.23:
>> 2013-06-23 01:12:55.781513 hostname PID 01:12:55.781513 0..16777216/0(mat=
ch): b bridge0: 192.168.65.13.62921 192.168.65.12.23:
>=20
> The output format I did here is not correct but with a bit of work
> you could come up with something that looks like a IPFilter log.
>=20
> HTH, Nikos
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09D1DC3A-9F02-488D-AFA8-9C9E3EF79D7E>