From nobody Thu Oct 20 07:13:24 2022
X-Original-To: pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MtKKh2W85z4g6Sf
	for <pf@mlmmj.nyi.freebsd.org>; Thu, 20 Oct 2022 07:41:28 +0000 (UTC)
	(envelope-from gb@unistra.fr)
Received: from smr1.u-strasbg.fr (smr1.u-strasbg.fr [130.79.222.217])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MtKKf509cz46Vk
	for <pf@freebsd.org>; Thu, 20 Oct 2022 07:41:26 +0000 (UTC)
	(envelope-from gb@unistra.fr)
Received: from xenon.localdomain (mojito.u-strasbg.fr [130.79.116.2])
	by smr1.u-strasbg.fr (Postfix) with ESMTP id 4BFE16033C
	for <pf@freebsd.org>; Thu, 20 Oct 2022 09:41:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=unistra.fr; s=smr;
	t=1666251684; bh=miHaU1IX0XObZ7bzjn3oJbjQkBzBinS/B5L2jO11mvY=;
	h=Date:From:To:Subject:References:In-Reply-To:From;
	b=jdb4ETGHpLN9NNJbakEU2Ug02hQTtN8YJF1cOc5Xv8xQm6OvI2cB90RLEL8MC7Try
	 EiiP2tJ8DLAVgpMWuMbt+mFYSLGNi1tU7sTbvabRfL7kA3bsGc2sre211IA5rWZKq6
	 L7K2qQEKIdATxkJFDgPaNnKbaNQys7PDV9elXiYs=
Received: by xenon.localdomain (Postfix, from userid 1001)
	id AA6C62C528A; Thu, 20 Oct 2022 09:13:24 +0200 (CEST)
Date: Thu, 20 Oct 2022 09:13:24 +0200
From: Guy Brand <gb@unistra.fr>
To: pf@freebsd.org
Subject: Re: logging NAT sessions (connection tracking)
Message-ID: <Y1D1FPs3Z/tgc9cn@unistra.fr>
References: <bcf956ba-5024-3f3d-2142-c63208d55c27@comcast.net>
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <bcf956ba-5024-3f3d-2142-c63208d55c27@comcast.net>
x-gpg-fingerprint: B716ABC5666A325219F3024D1622A7B686EFCC9D
x-gpg-key: 0x1622A7B686EFCC9D
X-Rspamd-Queue-Id: 4MtKKf509cz46Vk
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=unistra.fr header.s=smr header.b=jdb4ETGH;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of gb@unistra.fr designates 130.79.222.217 as permitted sender) smtp.mailfrom=gb@unistra.fr
X-Spamd-Result: default: False [-5.18 / 15.00];
	DWL_DNSWL_MED(-2.00)[unistra.fr:dkim];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.94)[-0.940];
	RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	RCVD_IN_DNSWL_MED(-0.20)[130.79.222.217:from];
	R_DKIM_ALLOW(-0.20)[unistra.fr:s=smr];
	R_SPF_ALLOW(-0.20)[+ip4:130.79.222.208/28];
	MIME_GOOD(-0.10)[text/plain];
	NEURAL_HAM_MEDIUM(-0.04)[-0.042];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[unistra.fr:+];
	RCVD_TLS_LAST(0.00)[];
	MLMMJ_DEST(0.00)[pf@freebsd.org];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	RCVD_COUNT_THREE(0.00)[3];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	DMARC_NA(0.00)[unistra.fr];
	TO_DN_NONE(0.00)[];
	ASN(0.00)[asn:2259, ipnet:130.79.0.0/16, country:EU];
	PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org];
	MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On Oct 11, 2022 at 10:53 -0700, fddi wrote:

Hello,

> I foudn no obvious or easy way to log NAT sessions.
> I have a bunch of NAT boxes implementd with FreeBSD 13.1 and PF.
> I need to log NAT sessions but so far I still have to figure out a good way
> to do it.
> 
> I ended up using this:
> https://github.com/italovalcy/pfnattrack
> 
> but I am not sure it is working well. It seems like not to be "Real time"
> and logs are delayed.
> 
> Any way I could do something similar with pflog ?
> Anybody has a working solution for NAT session logging ?

We've been using pfnattrack, slightly modified, for several years now
and it does the job. It's deployed to log NAT sessions on our campus
wifi infrastructure with thousands of clients connecting every day.
I can share our modifications here if there is an interest.

We did not found something else that would do the job (pflog based or
not).

Regards

-- 
        Guy