From owner-freebsd-pf@FreeBSD.ORG  Tue Sep 15 19:05:19 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8037F106566C
	for <freebsd-pf@freebsd.org>; Tue, 15 Sep 2009 19:05:19 +0000 (UTC)
	(envelope-from tom@uffner.com)
Received: from eris.uffner.com (uffner.com [66.208.243.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 284448FC1A
	for <freebsd-pf@freebsd.org>; Tue, 15 Sep 2009 19:05:18 +0000 (UTC)
Received: from xiombarg.uffner.com
	(static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94])
	(authenticated bits=0)
	by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n8FIs5sh082856
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Tue, 15 Sep 2009 14:54:19 -0400 (EDT) (envelope-from tom@uffner.com)
Message-ID: <4AAFE24A.2040602@uffner.com>
Date: Tue, 15 Sep 2009 14:51:54 -0400
From: Tom Uffner <tom@uffner.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.8.1.23) Gecko/20090907 SeaMonkey/1.1.18
MIME-Version: 1.0
To: gaurav@subisu.net.np
References: <4AADC15B.5060501@subisu.net.np>
In-Reply-To: <4AADC15B.5060501@subisu.net.np>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
Subject: Re: Packet Filter alerting system.
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 19:05:19 -0000

Gaurav Ghimire wrote:
> Just curious to know if we have something, some alerting system or mechanism that provides the administrator with the daily reports that pf itself or some other
> tool collects on pf's behalf.
> 
> That probably reports the admin of:
> ~ Total connection counts matched on each rulesets.
> ~ Total number of counts matched on deny rules.

/etc/periodic/security/520.pfdenied

it should be enabled by default if you haven't done anything unnatural to
the /etc/periodic system

 > ~ IP/Port attack logs and relatives.

only if you specify "log" in one or more of your pf rules, in which
case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
/var/log/pf.{today,yesterday}

tom