From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 21:54:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB01416A4CE; Fri, 17 Sep 2004 21:54:00 +0000 (GMT) Received: from mail.revolutionsp.com (ganymede.revolutionsp.com [64.246.0.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F0D443D1D; Fri, 17 Sep 2004 21:54:00 +0000 (GMT) (envelope-from klr@6s-gaming.com) Received: from mail.revolutionsp.com (localhost [127.0.0.1]) by mail.revolutionsp.com (Postfix) with ESMTP id B4CC315C9C; Fri, 17 Sep 2004 18:49:11 +0000 (GMT) Received: from 81.84.174.8 (SquirrelMail authenticated user klr@6s-gaming.com); by mail.revolutionsp.com with HTTP; Fri, 17 Sep 2004 18:49:11 -0000 (GMT) Message-ID: <61203.81.84.174.8.1095446951.squirrel@81.84.174.8> In-Reply-To: <200409162125.26588.max@love2party.net> References: <58653.81.84.174.8.1095267239.squirrel@81.84.174.8> <4149C2E0.6000902@dequim.ist.utl.pt> <4149E738.8090300@veldy.net> <200409162125.26588.max@love2party.net> Date: Fri, 17 Sep 2004 18:49:11 -0000 (GMT) From: "Hugo Silva" To: freebsd-questions@FreeBSD.org, freebsd-current@FreeBSD.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: pf not logging on 5.3-BETA3 ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 21:54:01 -0000 > On Thursday 16 September 2004 21:19, Thomas T. Veldhouse wrote: >> Bruno Afonso wrote: >> > Thomas T. Veldhouse wrote: >> >> Max Laier wrote: >> >>> Okay, have you guys read UPDATING? >> >> >> >> Yes, but it is from a BETA3 install ... so the user/group was already >> >> their. Besides, installworld will fail unless this group is added >> >> first. >> > >> > Did you do "mergemaster -p" ? >> >> Yes. But like I said, it is not required to move from 5.3-BETA3 to >> RELENG_5 as the changes in master.passwd and group are already there. >> If they were not, an installworld would fail because the chown or chgrp >> commands fail trying to set the user or group to _pflogd or authpf >> (group). >> >> In any event, my passwd and group file are indeed up to date and >> /var/log/pflog broken (no logging taking place). >> >> fuggle# ps aux | grep pf >> root 340 0.0 0.3 1584 612 ?? Ss 3:05PM 0:00.01 pflogd: >> [priv] ( >> _pflogd 343 0.0 0.3 1648 652 ?? S 3:05PM 0:11.14 pflogd: >> [running >> root 21395 0.0 0.1 440 224 p1 R+ 2:18PM 0:00.00 grep pf > > Are you sure that you have logging rules in place? And are you sure that > these > rules are matched? Please attach the output of "$pfctl -vvsr" if in doubt. > Yep, I can follow the log with my pflog script: [root@evilreborn:/home/klr]# pflog tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 2. 827601 rule 7/0(match): block out on rl1: IP X.X.X.X.61201 > 66.35.250.150.6060: S 1604621353:1604621353(0) win 65535 (ip blocked out) [workstation: [killer@europa:/home/killer/] telnet slashdot.org 6060 Trying 66.35.250.150... ] The script (very simple): [root@evilreborn:/home/klr]# cat `which pflog` tcpdump -n -e -ttt -i pflog0 This ensures logging rules are there, but anyway: [root@evilreborn:/home/klr]# grep log /etc/pf.conf block in log on $net proto { tcp,udp,icmp } block out log on $net proto { tcp,udp,icmp } > Also, are you using the module or did you build pf into your kernel > directly? Compiled directly into the kernel, device pf/pflog/pfsync, all ALTQ options: options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build options ALTQ device pf # Packet Filter device pfsync device pflog _DEBUG > Did you put in "device pflog" as well? What does "$ifconfig pflog0" say? [root@evilreborn:/home/klr]# ifconfig pflog0 pflog0: flags=41 mtu 33208 If more info is needed, let me know. I don't think this is an obvious mistake of me (altough it could be, I haven't looked to this problem in the last days, must take some time to look more carefully at it). As a reminder, the system is: FreeBSD evilreborn 5.3-BETA3 FreeBSD 5.3-BETA3 #0: Wed Sep 15 19:18:51 WEST 2004 klr@evilreborn:/usr/src/sys/i386/compile/evilreborn53-kernel i386 > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > Best Regards, Hugo