Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 09 Sep 2005 17:15:48 -0400
From:      bob self <bobself@charter.net>
To:        Max Laier <max@love2party.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: selective logging of what pf is rejecting?
Message-ID:  <4321FB84.7070909@charter.net>
In-Reply-To: <200509092153.00708.max@love2party.net>
References:  <4321D9DF.5080206@charter.net> <ffa9ac69050909121711783ef@mail.gmail.com> <200509092153.00708.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

Max Laier wrote:

>On Friday 09 September 2005 21:17, Huzeyfe Onal wrote:
>  
>
>>hi,
>>you can use tcpdump to watch pf action, why it drop or accept packets.
>>
>>try to use
>>tcpdump -i pflog0 -e
>>    
>>
>
>right.
>
>  
>
>>ps: pflogd must be running... also read
>>http://www.openbsd.com/faq/pf/logging.html
>>    
>>
>
>wrong.  pflogd just records the log data to disk, no need to watch the 
>livefeed.
>
>  
>
>>2005/9/9, bob self <bobself@charter.net>:
>>    
>>
>>>My pf.conf file looks something like this
>>>
>>>block in all
>>>block out all
>>>pass quick on lo0 keep state
>>>antispoof for $ext_if
>>>
>>>pass in on $ext_if from <goodguys> to any keep state
>>>pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA
>>>keep state label "www"        #apache
>>>block in on $ext_if from <badguys> to any
>>>
>>>pass out on $ext_if proto tcp from any to any flags S/SA keep state    #
>>>allow any tcp setup out
>>>pass out on $ext_if proto udp all keep state                # allow any
>>>udp out
>>>
>>>pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state    #
>>>allow echo request in or out, (man pf.conf:1618)
>>>
>>>
>>>Is there a way I can turn on (temporarily) logging of wht pf is not
>>>allowing to come in? Also, is there a real-time tool that
>>>will let you watch what pf if blocking from coming in?
>>>
>>>How could you just log what pf allows to get through?
>>>      
>>>
>
>You can use pcap filters to get only info you are interested in.  See 
>tcpdump(1)::ifname ff.  ... the "action" filter might be of special interest 
>for your question.
>
>  
>
I guess that my question is really where do I put the 'log' word(s) in 
pf.conf to be able to do this.
I tried adding 'log' to everything in my pf.conf to see pinging from the 
outside and using tcpdump I don't see anything.
I'm using tcpdump like this:

tcpdump -l -n -e -ttt -i pflog0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4321FB84.7070909>