From owner-freebsd-pf@FreeBSD.ORG Sun Jun 23 00:56:33 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9E9C3C8D for ; Sun, 23 Jun 2013 00:56:33 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) by mx1.freebsd.org (Postfix) with ESMTP id 3771E172A for ; Sun, 23 Jun 2013 00:56:33 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id ey16so1704032wid.5 for ; Sat, 22 Jun 2013 17:56:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=JHdU9HB5ufzbxB3Ua+s68tUwURd9vmZ/30N8dbiLnZE=; b=hVuRhDQ2FYLoLRnUoyxlCXFss+inZPkFFdGkxEIRKkZ4T5FUkXpOxo9KSSOdktxz76 znLmmBu6wYWACb6hBMpdTpWr5lBqL9B5P2OYG/PyWtTccbvanByTKDi7NrlVAlC/LdC6 5pgh+VmUMV2fwl0LeZ16NPS5RU1zcahAWT0Xyk3xPKljkm24tw9y3+eFEXM7jcj4Kj3m 7eSTocgPQYF4sv1xwxEICfI3OMlVG/C593zS/RPup+sLp7hGmMYLRI3Kc252Suulqv3c Mr34+x5ZBlOfC8/l+HLdsSAQqCJW9IE0tAafUIS64VEek0oXprBiqmPwVmeS8h78/f+k x16Q== X-Received: by 10.180.206.180 with SMTP id lp20mr2538213wic.41.1371948992308; Sat, 22 Jun 2013 17:56:32 -0700 (PDT) Received: from [10.99.242.47] (33.16.90.92.rev.sfr.net. [92.90.16.33]) by mx.google.com with ESMTPSA id i1sm7146467wiz.6.2013.06.22.17.56.31 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 22 Jun 2013 17:56:31 -0700 (PDT) References: <1371865788.22524.9.camel@localhost> <51C5F242.1010608@gmx.com> <1371933661.1707.7.camel@localhost> <51C62B44.1030902@gmx.com> Mime-Version: 1.0 (1.0) In-Reply-To: <51C62B44.1030902@gmx.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <09D1DC3A-9F02-488D-AFA8-9C9E3EF79D7E@my.gd> X-Mailer: iPhone Mail (10B144) From: Damien Fleuriot Subject: Re: Was Re: PF bugs now PF reporting utility Date: Sun, 23 Jun 2013 02:55:21 +0200 To: Nikos Vassiliadis X-Gm-Message-State: ALoCoQmkoeDjD6AnB0RhAOw3UBV8mx5TTsuQSaV4nDtSe0cd6Hu/EL24qYQ79naS3EqR3DofRjr2 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2013 00:56:33 -0000 On 23 Jun 2013, at 00:55, Nikos Vassiliadis wrote: > On 06/22/2013 10:41 PM, Stan Gammons wrote: >> On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote: >>> It seems that people think that pf is unmaintained. >>> Quite a disheartening thing for the person that did the hard work >>> to create the smp-friendly pf in FreeBSD-10... >>=20 >> My apologies Nikos for thinking PF is not maintained. >=20 > I didn't want to make anybody apologize. >=20 > I just wanted to add that pf in freebsd is not bad or inferior > compared to the newer pf in openbsd. To some people the performance > gain by smp-pf might be considered more useful than pf.conf > compatibility between different OSes. Other people might need > rdomains and all the other things the freebsd version doesn't have... >=20 > Things are just different for quite a while now and they are growing > even more differently. The fork happened for a reason or perhaps for > a lot of reasons. >=20 On topic, Gleb has put a lot of work on PF in -CURRENT which, iirc, made a h= andful of open PRs irrelevant. >> I was hoping others here could point me to a sysutil that generates >> reports for PF like Lire does for IPFilter and etc. I had started work >> on modifying one of the existing Lire dlf converters that would would >> work with a PF log file that had been first processed through tcpdump. >> But, I couldn't figure out the format tcpdump uses, so I haven't made >> much progress. Can someone here help with the format tcpdump uses on >> FreeBSD or point me in the right direction? >=20 > Unfortunately there is no support for pf in lire. OTOH it looks > simple enough to hack a custom filter in awk maybe? (sorry i possess > no perl powers) >=20 >> root@lab:/var/log # tcpdump -nlttttei pflog0 | awk '{ if ($5 =3D=3D "bloc= k") $5 =3D "b"; print $1,$2,"hostname","PID", $2,$4,$5,$8,$9,$11 }' >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decod= e >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 6= 5535 bytes >> 2013-06-23 01:12:24.210634 hostname PID 01:12:24.210634 0..16777216/0(mat= ch): b bridge0: 192.168.65.1.60491 192.168.65.11.23: >> 2013-06-23 01:12:28.016297 hostname PID 01:12:28.016297 0..16777216/0(mat= ch): b bridge0: 192.168.65.1.40719 192.168.65.12.23: >> 2013-06-23 01:12:53.307795 hostname PID 01:12:53.307795 0..16777216/0(mat= ch): b bridge0: 192.168.65.13.11451 192.168.65.11.23: >> 2013-06-23 01:12:55.781513 hostname PID 01:12:55.781513 0..16777216/0(mat= ch): b bridge0: 192.168.65.13.62921 192.168.65.12.23: >=20 > The output format I did here is not correct but with a bit of work > you could come up with something that looks like a IPFilter log. >=20 > HTH, Nikos >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"