From owner-freebsd-net@FreeBSD.ORG  Fri Nov 13 12:51:04 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C1177106566B
	for <net@freebsd.org>; Fri, 13 Nov 2009 12:51:04 +0000 (UTC)
	(envelope-from sdalu@sdalu.com)
Received: from mrelay1.sdalu.com (incal.sdalu.com [IPv6:2001:41d0:1:d9cf::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 590D48FC1D
	for <net@freebsd.org>; Fri, 13 Nov 2009 12:51:04 +0000 (UTC)
Received: by mrelay1.sdalu.com (Postfix, from userid 65534)
	id 895165C0C9; Fri, 13 Nov 2009 13:51:03 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on incal.sdalu.com
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,NO_RELAYS
	autolearn=ham version=3.2.5
Received: from [IPv6:2001:660:5003:410:7998:5e40:d2b6:c9a6] (unknown
	[IPv6:2001:660:5003:410:7998:5e40:d2b6:c9a6])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: sdalu@sdalu.com)
	by mrelay1.sdalu.com (Postfix) with ESMTPSA id AB0EC5C0B7;
	Fri, 13 Nov 2009 13:51:01 +0100 (CET)
Message-ID: <4AFD5635.3080104@sdalu.com>
Date: Fri, 13 Nov 2009 13:51:01 +0100
From: Stephane D'Alu <sdalu@sdalu.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
	rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4
MIME-Version: 1.0
To: Ian Smith <smithi@nimnet.asn.au>
References: <4AFD4632.5090207@sdalu.com>
	<20091113230319.R58089@sola.nimnet.asn.au>
In-Reply-To: <20091113230319.R58089@sola.nimnet.asn.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: net@freebsd.org
Subject: Re: pf & tcpdump
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 12:51:04 -0000

On 13/11/2009 13:08, Ian Smith wrote:
> On Fri, 13 Nov 2009, Stephane D'Alu wrote:
>   >  Is there a way to have tcpdump only showing packed that have pass the
>   >  filtering rules, so to check that firewall rules were correctly written and
>   >  not letting unwanted packets in.
>
> tcpdump sees packets before they're passed to the firewall coming in,
> and after the firewall going out.  Lack of response to inbound packets
> that the firewall is supposed to block is usually a good sign ..
>
> Easiest way to see firewall rules are working is to add logging to them.
>

So if I understand correctly, there is no way in tcpdump to only select 
the packets "going out after the firewall"

thanks

-- 
Stephane