Date: Sat, 8 Nov 2014 15:52:28 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: Re: pf log with keep state Message-ID: <201411081552.34839.vegeta@tuxpowered.net> In-Reply-To: <545D195B.2050909@kornatka.pl> References: <545D195B.2050909@kornatka.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2357736.jIIlGAy4Pa
Content-Type: Text/Plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Dnia pi=C4=85tek, 7 listopada 2014 o 20:11:23 Karol Kornatka napisa=C5=82(a=
):
> I have preaty big network (arround 2000 hosts) having connection threw
> freebsd router.
No, don't throw your router. It might still work after you fix your pf rule=
s.
> Router is working on Dell poweredge r320 and freebsd 10.
> As firewall obviously pf with arround 50000 pf state current entries and
> 200Mbitps traffic.
> I need to pass and log forwarded traffic
> For now i'm using ruleset like this:
>=20
> pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from
> <clients-ds02> to any port $ds02_tcp_forward_services flags S/S keep state
Evey new connection (matching for S/SA flags is default thing when creating=
new=20
rule, you can see that with `pfctl -sr`, so your "flags" option does not ch=
ange=20
much) from <clients-ds2> to $ds02_tcp_forward_services is matched by this r=
ule=20
and is not processed anymore due to quick keyword. This causes a state to b=
e=20
created so any further packets belonging to this connection never hit your=
=20
rules at all and are accepted instead (checking packet if it belongs to=20
existing state happens before matching it against rules). Every packet in s=
uch=20
connection (matching the state) is logged due to log keyword.
> pass in quick on $ds02_int_if proto tcp from <clients-ds02> to any port
> $ds02_tcp_forward_services keep state
No packets reach this rule as they match the previous one or a state create=
d by=20
it.
I understand that you want to log only fact of connections being establishe=
d.=20
Then maybe the following thing would work:
pass in log ( all, to pflog2) \
on $ds02_int_if proto tcp \
from <clients-ds02> \
to any port $ds02_tcp_forward_services \
flags S/S no state
pass in quick ( all, to pflog2) \
on $ds02_int_if proto tcp \
from <clients-ds02> \
to any port $ds02_tcp_forward_services \
keep state
In this case the 1st rule matches incoming SYN packets, logs them, is not=20
quick, so the 2nd rule has an opportunity to match them too, but it does no=
t=20
perform logging but creates the state instead. Any further packets are=20
forwarded due to an existing state whose rule has no log option.
I'm not sure if it will work, just a fast idea.
=2D-=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
--nextPart2357736.jIIlGAy4Pa
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEABECAAYFAlReLiwACgkQ47RQr217OhSG5ACg2TSLLkyuyHb1MLkh/Dz/TIyc
upEAoNu6UO0vj+eY3OUYzEuPb5RyHhdG
=dkJ3
-----END PGP SIGNATURE-----
--nextPart2357736.jIIlGAy4Pa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411081552.34839.vegeta>