From owner-freebsd-pf@FreeBSD.ORG Tue Mar 20 12:17:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5388816A401 for ; Tue, 20 Mar 2007 12:17:34 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 1762013C44B for ; Tue, 20 Mar 2007 12:17:33 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c66.q.ppp-pool.de [89.53.124.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1CFCC12883F for ; Tue, 20 Mar 2007 13:17:26 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 4BBD02E7AB; Tue, 20 Mar 2007 13:17:15 +0100 (CET) Message-ID: <45FFD0C7.6030600@vwsoft.com> Date: Tue, 20 Mar 2007 13:17:11 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Eric References: <45FE919B.7040208@mikestammer.com> In-Reply-To: <45FE919B.7040208@mikestammer.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf logging differences X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 12:17:34 -0000 On 12/23/-58 20:59, Eric wrote: > in this case, pf logging looks like this: > > # > tcpdump -etttti pflog0 > # > tcpdump: WARNING: pflog0: no IPv4 address assigned > # > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > # > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 68 bytes > # > 2007-03-19 08:19:35.242979 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:36.252372 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:37.262760 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > > > Why is the first host producing more detailed logs? why isnt pf showing > the port that was blocked or anything else like it does in the first > host? Is there a way to make the ng0 interface log more or is this due > to the netgraph hooks into pf? ICMP packets do NOT have any port numbers. The example you've shown had 3 ICMP packets being blocked. On the other side, I'm always using `tcpdump -nettttvvi ...' (the -vv parameters gives more output but might annoy you for SMB / netbios traffic). HTH, Volker