From owner-freebsd-pf@freebsd.org Fri Dec 27 20:49:51 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4E5191CEDD2 for ; Fri, 27 Dec 2019 20:49:51 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d7::103:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47kzTp2xQ8z4Xx1 for ; Fri, 27 Dec 2019 20:49:50 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.fritz.box (ip9234d229.dynamic.kabel-deutschland.de [146.52.210.41]) by host64.shmhost.net (Postfix) with ESMTPSA id 47kzTd5tDPzJ6CS; Fri, 27 Dec 2019 21:49:41 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\)) Subject: Re: Rule last match timestamp From: Franco Fichtner In-Reply-To: <2C151498-F878-40A3-8A7C-C9C7D36CDBFF@sigsegv.be> Date: Fri, 27 Dec 2019 21:49:41 +0100 Cc: =?utf-8?Q?=C3=96zkan_KIRIK?= , freebsd-pf@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <8547AD1F-2D76-449E-90DE-DC0D699D9631@lastsummer.de> References: <2C151498-F878-40A3-8A7C-C9C7D36CDBFF@sigsegv.be> To: Kristof Provost X-Mailer: Apple Mail (2.3608.40.2.2.4) X-Virus-Scanned: clamav-milter 0.101.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 47kzTp2xQ8z4Xx1 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 2a01:4f8:a0:51d7::103:2) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [-1.56 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; RECEIVED_SPAMHAUS_PBL(0.00)[41.210.52.146.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-0.97)[ip: (-0.87), ipnet: 2a01:4f8::/29(-2.43), asn: 24940(-1.55), country: DE(-0.02)]; NEURAL_HAM_MEDIUM(-0.99)[-0.991,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FREEMAIL_CC(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2019 20:49:51 -0000 Hi, > On 27. Dec 2019, at 6:45 PM, Kristof Provost wrote: > > What are you trying to accomplish? Some people believe that "last match" is a great metric to audit rules for intrusion detection and all sorts ruleset optimisation and refinement. In OPNsense the question has popped up a few times to support it, but without doing it in pf(4) directly it makes little sense as you'd have to crawl pflog output and even then you can't crawl non-log rules this way... Cheers, Franco