From owner-freebsd-pf@FreeBSD.ORG Sat Nov 8 14:52:47 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33BF5931 for ; Sat, 8 Nov 2014 14:52:47 +0000 (UTC) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BAA7991D for ; Sat, 8 Nov 2014 14:52:45 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id r20so6665135wiv.3 for ; Sat, 08 Nov 2014 06:52:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=t+WPva6Y1phGtis7ao6OcVZ/QJD8xZYEH/5fMxpoE+U=; b=jWS12f0LNscVLeMc9IjgM1aizt8djGFjB6ycFjMRWnmkdX4tj60HfZPjpwitdccPta 5uwaxftSn2K2LcUvYHLxyNCYlyRgmvjBTL63wbw05aUMWgdApp2vJo3SP618SRUj05T9 efGz2ontzImA9lDTGuvv2gth975w282XIkvEq83cr2pLKKH8ilNtMHT10NB6zvpgs1X1 fZtVy3+7mQuCMZWe5fTJbwCO9GQAj20sIH6uo040PXslYUwQBnrmwyRPMetwblhaaNvy gzGNt1HvW9PgKpYp4bDmx4qRkHkVKirmzkJRikx7JIbSXKKYhTK2NwdhKiihBnMF+nPl vDUQ== X-Gm-Message-State: ALoCoQmOg9WiC84zb6yLCEr+FwuS9RYf9YyIlRvDpCvyBBJ3FgQHq1dCAVSmZx+exBMwvEN6VK1l X-Received: by 10.181.13.20 with SMTP id eu20mr14626313wid.36.1415458356816; Sat, 08 Nov 2014 06:52:36 -0800 (PST) Received: from zvezda.localnet ([2a02:8108:1400:3c0::3]) by mx.google.com with ESMTPSA id fa16sm5944660wid.5.2014.11.08.06.52.35 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Nov 2014 06:52:35 -0800 (PST) From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Subject: Re: pf log with keep state Date: Sat, 8 Nov 2014 15:52:28 +0100 User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; ) References: <545D195B.2050909@kornatka.pl> In-Reply-To: <545D195B.2050909@kornatka.pl> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2357736.jIIlGAy4Pa"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201411081552.34839.vegeta@tuxpowered.net> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2014 14:52:47 -0000 --nextPart2357736.jIIlGAy4Pa Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dnia pi=C4=85tek, 7 listopada 2014 o 20:11:23 Karol Kornatka napisa=C5=82(a= ): > I have preaty big network (arround 2000 hosts) having connection threw > freebsd router. No, don't throw your router. It might still work after you fix your pf rule= s. > Router is working on Dell poweredge r320 and freebsd 10. > As firewall obviously pf with arround 50000 pf state current entries and > 200Mbitps traffic. > I need to pass and log forwarded traffic > For now i'm using ruleset like this: >=20 > pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from > to any port $ds02_tcp_forward_services flags S/S keep state Evey new connection (matching for S/SA flags is default thing when creating= new=20 rule, you can see that with `pfctl -sr`, so your "flags" option does not ch= ange=20 much) from to $ds02_tcp_forward_services is matched by this r= ule=20 and is not processed anymore due to quick keyword. This causes a state to b= e=20 created so any further packets belonging to this connection never hit your= =20 rules at all and are accepted instead (checking packet if it belongs to=20 existing state happens before matching it against rules). Every packet in s= uch=20 connection (matching the state) is logged due to log keyword. > pass in quick on $ds02_int_if proto tcp from to any port > $ds02_tcp_forward_services keep state No packets reach this rule as they match the previous one or a state create= d by=20 it. I understand that you want to log only fact of connections being establishe= d.=20 Then maybe the following thing would work: pass in log ( all, to pflog2) \ on $ds02_int_if proto tcp \ from \ to any port $ds02_tcp_forward_services \ flags S/S no state pass in quick ( all, to pflog2) \ on $ds02_int_if proto tcp \ from \ to any port $ds02_tcp_forward_services \ keep state In this case the 1st rule matches incoming SYN packets, logs them, is not=20 quick, so the 2nd rule has an opportunity to match them too, but it does no= t=20 perform logging but creates the state instead. Any further packets are=20 forwarded due to an existing state whose rule has no log option. I'm not sure if it will work, just a fast idea. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2357736.jIIlGAy4Pa Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlReLiwACgkQ47RQr217OhSG5ACg2TSLLkyuyHb1MLkh/Dz/TIyc upEAoNu6UO0vj+eY3OUYzEuPb5RyHhdG =dkJ3 -----END PGP SIGNATURE----- --nextPart2357736.jIIlGAy4Pa--