From owner-freebsd-pf@FreeBSD.ORG Thu Sep 17 19:30:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E0221065672 for ; Thu, 17 Sep 2009 19:30:27 +0000 (UTC) (envelope-from tim@hoganzoo.com) Received: from wolf.hoganzoo.com (wolf.hoganzoo.com [66.37.133.25]) by mx1.freebsd.org (Postfix) with ESMTP id C32A08FC19 for ; Thu, 17 Sep 2009 19:30:26 +0000 (UTC) Received: from [127.0.0.1] (unknown [10.1.1.1]) by wolf.hoganzoo.com (Postfix) with ESMTP id BAEA47E8C5; Thu, 17 Sep 2009 13:13:54 -0600 (MDT) Message-ID: <4AB28A7A.2060206@hoganzoo.com> Date: Thu, 17 Sep 2009 13:14:02 -0600 From: Tim Hogan User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Tom Uffner References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com> In-Reply-To: <4AAFE24A.2040602@uffner.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050806040209080301030403" Cc: freebsd-pf@freebsd.org Subject: Re: Packet Filter alerting system. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2009 19:30:27 -0000 This is a cryptographically signed message in MIME format. --------------ms050806040209080301030403 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Tom Uffner wrote: > Gaurav Ghimire wrote: >> Just curious to know if we have something, some alerting system or >> mechanism that provides the administrator with the daily reports that >> pf itself or some other >> tool collects on pf's behalf. >> >> That probably reports the admin of: >> ~ Total connection counts matched on each rulesets. >> ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom > Not sure if this will help but I have added the following line to /etc/periodic/security/520.pfdenied pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0 } $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root This will produce something like the following for each rule that you have; pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port = syslog keep state [ Evaluations: 560355 Packets: 46 Bytes: 4058 States: 0 ] The down side is that the numbers will increment from the last time PF was restarted, not from the previous day. Regards, Tim --------------ms050806040209080301030403 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK6jCC BXEwggNZoAMCAQICAwcTezANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wOTA2 MjkxNDU5MTlaFw0wOTEyMjYxNDU5MTlaMGMxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEf MB0GCSqGSIb3DQEJARYQdGltQGhvZ2Fuem9vLmNvbTEmMCQGCSqGSIb3DQEJARYXdGltQHJl ZmxlY3RpdmVzaWdodC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPSBR0 GkAbcXOe35zauH3SM+c8EKinb1+CrwpRubJW30AQWajUkJoEvrqxjm81ZhJkdtFggwvwbYeQ lUIkQh5r0GDrkYQ+M4FyToQ/EhofWh25M10H7IPaYeHRvpvpOXUlDcVLUIWsfbDWQ7R7CQB+ lpN4M9Hq1QeLMf1qNZdmwInSg5MYJ3kwkE+X0VTfT4wMzWamdi1HlzUUmYXygO+gI4maBG+A 1n0+cKecL1ipR5jxWFacIRc9xyFd4fskQLMquKgdgBrf/VL+27dhWgoFA9rnAL2mY+0Y/E6h vlZJbt1iEWLomkFGQeik3WKsK6sQatQ7dP5dzU8QeHD2evrJAgMBAAGjggEWMIIBEjAMBgNV HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUg Zm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUEOTA3 BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIE ATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcw NAYDVR0RBC0wK4EQdGltQGhvZ2Fuem9vLmNvbYEXdGltQHJlZmxlY3RpdmVzaWdodC5jb20w DQYJKoZIhvcNAQEFBQADggIBADMtUgMi0xH+uzjmjogAiOeUO9+XYBV0vMxdTw+IiWVTViy4 vu6yDYRQTd/oSHV1045B/v8UodS2mTX4bL8djjMiahQpitXuDnBGvcix0DTt47acD2AYEH5k BhnAYO/sNZ90stexCfsSEziPDbxjrcAN4duZfOyF8HKl85fTk/4Cnxtma8vNX9jyMSodqX7T IIygSFhnhLBpnOU1yidpSaZoLdEcsWwkIeGxE0cp9lzex9vSBzsMWqeJg20we47Ibdt+O38y SRIZhrkkTLihw8lUWXZwq6M1uhCSuaib0uq+TvZF+Ewpi9M6B8S88CCc81bJ611L529MEt9U uSZmXE+PCYaCQ83CoGB/1w8iLqmWBlW2JD+0YnwK7e0YYa00/pjfwT13O/Uh+PLXuLCYB8QX aZbJavc4H4258mdjG5Zsnv4BtVWAaRYhJqQBfiWJup0oW6JUchgJ6Hylz3LEl6zz+q0guLh8 Ta1OVAMd0Ijk/B3fodOkYvrjgPGTAwpZ3xFgLlH7F4Mwu1Bna34UqPGjKznvry9AUIlEPYeH givVXAG1eVQwrPyREqx+JnmGcD/FFr4iKvJMu0b8heNMmfq+AC1JVkhnifKLdFrrD6xwYnF4 Mw1w1smNuBQj7hE0gOHr5kDySUmFoBoJ6CO9x+lUuAgdbTc/BzEV/QriCXEvMIIFcTCCA1mg AwIBAgIDBxN7MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsT FWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhv cml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA5MDYyOTE0NTkx OVoXDTA5MTIyNjE0NTkxOVowYzEYMBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMR8wHQYJKoZI hvcNAQkBFhB0aW1AaG9nYW56b28uY29tMSYwJAYJKoZIhvcNAQkBFhd0aW1AcmVmbGVjdGl2 ZXNpZ2h0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM9IFHQaQBtxc57f nNq4fdIz5zwQqKdvX4KvClG5slbfQBBZqNSQmgS+urGObzVmEmR20WCDC/Bth5CVQiRCHmvQ YOuRhD4zgXJOhD8SGh9aHbkzXQfsg9ph4dG+m+k5dSUNxUtQhax9sNZDtHsJAH6Wk3gz0erV B4sx/Wo1l2bAidKDkxgneTCQT5fRVN9PjAzNZqZ2LUeXNRSZhfKA76AjiZoEb4DWfT5wp5wv WKlHmPFYVpwhFz3HIV3h+yRAsyq4qB2AGt/9Uv7bt2FaCgUD2ucAvaZj7Rj8TqG+Vklu3WIR YuiaQUZB6KTdYqwrqxBq1Dt0/l3NTxB4cPZ6+skCAwEAAaOCARYwggESMAwGA1UdEwEB/wQC MAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJF RSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUF BwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsG AQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA0BgNVHREE LTArgRB0aW1AaG9nYW56b28uY29tgRd0aW1AcmVmbGVjdGl2ZXNpZ2h0LmNvbTANBgkqhkiG 9w0BAQUFAAOCAgEAMy1SAyLTEf67OOaOiACI55Q735dgFXS8zF1PD4iJZVNWLLi+7rINhFBN 3+hIdXXTjkH+/xSh1LaZNfhsvx2OMyJqFCmK1e4OcEa9yLHQNO3jtpwPYBgQfmQGGcBg7+w1 n3Sy17EJ+xITOI8NvGOtwA3h25l87IXwcqXzl9OT/gKfG2Zry81f2PIxKh2pftMgjKBIWGeE sGmc5TXKJ2lJpmgt0RyxbCQh4bETRyn2XN7H29IHOwxap4mDbTB7jsht2347fzJJEhmGuSRM uKHDyVRZdnCrozW6EJK5qJvS6r5O9kX4TCmL0zoHxLzwIJzzVsnrXUvnb0wS31S5JmZcT48J hoJDzcKgYH/XDyIuqZYGVbYkP7RifArt7RhhrTT+mN/BPXc79SH48te4sJgHxBdplslq9zgf jbnyZ2Mblmye/gG1VYBpFiEmpAF+JYm6nShbolRyGAnofKXPcsSXrPP6rSC4uHxNrU5UAx3Q iOT8Hd+h06Ri+uOA8ZMDClnfEWAuUfsXgzC7UGdrfhSo8aMrOe+vL0BQiUQ9h4eCK9VcAbV5 VDCs/JESrH4meYZwP8UWviIq8ky7RvyF40yZ+r4ALUlWSGeJ8ot0WusPrHBicXgzDXDWyY24 FCPuETSA4evmQPJJSYWgGgnoI73H6VS4CB1tNz8HMRX9CuIJcS8xggOUMIIDkAIBATCBgDB5 MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAg BgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBv cnRAY2FjZXJ0Lm9yZwIDBxN7MAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDkxNzE5MTQwMlowIwYJKoZIhvcNAQkEMRYEFO+Z IBi1R9Tk4QS2P0LSl5sF72scMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqG SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG 9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNV BAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1 dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMHE3swgZMGCyqG SIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93 d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMHE3swDQYJKoZIhvcNAQEBBQAEggEA bwNj0YSnGfrZv1FKVTLjV0ncucrr/Hxp6ah6698qrTyIbl+n1LkJdVnvdNqN5dDMucRtj4/n FMT1cUgwY3HKa8nwSwJR7fKTEB5HkH7NK1XlfT25jzLQTN/5/i4cTNP0byWausiNJPfDnAcF kCyD3Y3/LYdeJpkEjpk9WSIEEJYR/sp/2MQGzPH5LgHoL3FDj6+iVfS/4HHHNBT5BQmFWUY5 KJXm1dUFUg1dNfpOsHF3+oXkLMHRJs9RxZaSiNvbDOdLcDZll4/znsz4XhRhcaYmG5xhiB/Y PXItaXEjyVSr98kWi0horMadb1y/w7sf6x1Jzz7mKeFRXwiiyWyY5gAAAAAAAA== --------------ms050806040209080301030403--