Date: Sat, 8 Nov 2014 15:52:28 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: Re: pf log with keep state Message-ID: <201411081552.34839.vegeta@tuxpowered.net> In-Reply-To: <545D195B.2050909@kornatka.pl> References: <545D195B.2050909@kornatka.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2357736.jIIlGAy4Pa Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dnia pi=C4=85tek, 7 listopada 2014 o 20:11:23 Karol Kornatka napisa=C5=82(a= ): > I have preaty big network (arround 2000 hosts) having connection threw > freebsd router. No, don't throw your router. It might still work after you fix your pf rule= s. > Router is working on Dell poweredge r320 and freebsd 10. > As firewall obviously pf with arround 50000 pf state current entries and > 200Mbitps traffic. > I need to pass and log forwarded traffic > For now i'm using ruleset like this: >=20 > pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from > <clients-ds02> to any port $ds02_tcp_forward_services flags S/S keep state Evey new connection (matching for S/SA flags is default thing when creating= new=20 rule, you can see that with `pfctl -sr`, so your "flags" option does not ch= ange=20 much) from <clients-ds2> to $ds02_tcp_forward_services is matched by this r= ule=20 and is not processed anymore due to quick keyword. This causes a state to b= e=20 created so any further packets belonging to this connection never hit your= =20 rules at all and are accepted instead (checking packet if it belongs to=20 existing state happens before matching it against rules). Every packet in s= uch=20 connection (matching the state) is logged due to log keyword. > pass in quick on $ds02_int_if proto tcp from <clients-ds02> to any port > $ds02_tcp_forward_services keep state No packets reach this rule as they match the previous one or a state create= d by=20 it. I understand that you want to log only fact of connections being establishe= d.=20 Then maybe the following thing would work: pass in log ( all, to pflog2) \ on $ds02_int_if proto tcp \ from <clients-ds02> \ to any port $ds02_tcp_forward_services \ flags S/S no state pass in quick ( all, to pflog2) \ on $ds02_int_if proto tcp \ from <clients-ds02> \ to any port $ds02_tcp_forward_services \ keep state In this case the 1st rule matches incoming SYN packets, logs them, is not=20 quick, so the 2nd rule has an opportunity to match them too, but it does no= t=20 perform logging but creates the state instead. Any further packets are=20 forwarded due to an existing state whose rule has no log option. I'm not sure if it will work, just a fast idea. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2357736.jIIlGAy4Pa Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlReLiwACgkQ47RQr217OhSG5ACg2TSLLkyuyHb1MLkh/Dz/TIyc upEAoNu6UO0vj+eY3OUYzEuPb5RyHhdG =dkJ3 -----END PGP SIGNATURE----- --nextPart2357736.jIIlGAy4Pa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411081552.34839.vegeta>