Date: Tue, 20 Mar 2007 13:17:11 +0100 From: Volker <volker@vwsoft.com> To: Eric <heli@mikestammer.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf logging differences Message-ID: <45FFD0C7.6030600@vwsoft.com> In-Reply-To: <45FE919B.7040208@mikestammer.com> References: <45FE919B.7040208@mikestammer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/23/-58 20:59, Eric wrote: > in this case, pf logging looks like this: > > # > tcpdump -etttti pflog0 > # > tcpdump: WARNING: pflog0: no IPv4 address assigned > # > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > # > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 68 bytes > # > 2007-03-19 08:19:35.242979 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:36.252372 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:37.262760 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > > > Why is the first host producing more detailed logs? why isnt pf showing > the port that was blocked or anything else like it does in the first > host? Is there a way to make the ng0 interface log more or is this due > to the netgraph hooks into pf? ICMP packets do NOT have any port numbers. The example you've shown had 3 ICMP packets being blocked. On the other side, I'm always using `tcpdump -nettttvvi ...' (the -vv parameters gives more output but might annoy you for SMB / netbios traffic). HTH, Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FFD0C7.6030600>