Date: Fri, 27 Dec 2019 21:49:41 +0100 From: Franco Fichtner <franco@lastsummer.de> To: Kristof Provost <kristof@sigsegv.be> Cc: =?utf-8?Q?=C3=96zkan_KIRIK?= <ozkan.kirik@gmail.com>, freebsd-pf@freebsd.org Subject: Re: Rule last match timestamp Message-ID: <8547AD1F-2D76-449E-90DE-DC0D699D9631@lastsummer.de> In-Reply-To: <2C151498-F878-40A3-8A7C-C9C7D36CDBFF@sigsegv.be> References: <CAAcX-AGFg04rD=4_rJino_CvMiU4f3a%2BvxhiLwV=-x2ikWfO_w@mail.gmail.com> <2C151498-F878-40A3-8A7C-C9C7D36CDBFF@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > On 27. Dec 2019, at 6:45 PM, Kristof Provost <kristof@sigsegv.be> wrote: > > What are you trying to accomplish? Some people believe that "last match" is a great metric to audit rules for intrusion detection and all sorts ruleset optimisation and refinement. In OPNsense the question has popped up a few times to support it, but without doing it in pf(4) directly it makes little sense as you'd have to crawl pflog output and even then you can't crawl non-log rules this way... Cheers, Franco
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8547AD1F-2D76-449E-90DE-DC0D699D9631>