From owner-freebsd-questions@FreeBSD.ORG  Wed Feb  2 16:21:05 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 901A516A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Feb 2005 16:21:05 +0000 (GMT)
Received: from wolf.hoganzoo.com (wolf.hoganzoo.com [66.37.133.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4EA8443D39
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Feb 2005 16:21:05 +0000 (GMT)
	(envelope-from tim@hoganzoo.com)
Received: from www.hoganzoo.com (localhost [127.0.0.1])
	by wolf.hoganzoo.com (Postfix) with ESMTP id AE043521A51
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Feb 2005 09:21:04 -0700 (MST)
Received: from 192.18.101.5
        (SquirrelMail authenticated user thogan)
        by www.hoganzoo.com with HTTP;
        Wed, 2 Feb 2005 09:21:04 -0700 (MST)
Message-ID: <30432.192.18.101.5.1107361264.squirrel@www.hoganzoo.com>
Date: Wed, 2 Feb 2005 09:21:04 -0700 (MST)
From: "Tim Hogan" <tim@hoganzoo.com>
To: freebsd-questions@freebsd.org
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Trouble reading the nightly "security run output" report
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: tim@hoganzoo.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2005 16:21:05 -0000

OK, so every night the default install of FreeBSD generates a "security
run output" report for IPF denied packets.  Here is a sample report;

> 221143 @2 block out log quick on dc0 from any to any head 15
> 92733 @2 block in log quick on dc0 from any to any head 10
> 20 @8 block in log quick on dc0 from 10.0.0.0/8 to any group 10

That's it.  I am looking at this and trying to figure out if it is useful
and just what are those numbers for?  I have IPF creating a log entry for
all of the dropped packets, but when I look at the logs I can't match
those numbers at all.  In fact, if I do a 'wc -l' on the log file I get a
count of 10,780 lines.  If I take into account the log entries that have a
consecutive count logged I come up with 11,422.  Not even close the
numbers listed above.

So just what does this report mean and is there a better tool to run that
would give me a nightly report of total drops and perhaps the top ten
offenders and why?

Thanks
Tim