From nobody Thu Oct 20 16:50:50 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MtYXb6tdvz4g36y for ; Thu, 20 Oct 2022 16:51:43 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resqmta-h1p-028592.sys.comcast.net (resqmta-h1p-028592.sys.comcast.net [IPv6:2001:558:fd02:2446::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MtYXZ48kJz4Hqy for ; Thu, 20 Oct 2022 16:51:42 +0000 (UTC) (envelope-from fddi@comcast.net) Received: from resomta-h1p-027908.sys.comcast.net ([96.102.179.197]) by resqmta-h1p-028592.sys.comcast.net with ESMTP id lWYJo0PsOSl18lYlPo1xiy; Thu, 20 Oct 2022 16:51:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1666284683; bh=tarsik/pQhL2FxAsL3X/8jE1QnYrKi/TOMS4ATnU2J4=; h=Received:Received:Message-ID:Date:MIME-Version:Subject:To:From: Content-Type; b=hE7DDr6bwEUn1X73jMafarNqX+Cm1gaSHMhQWqTfy/KyaXZJl0hNP0v2JE9DZcd5+ o5wwC7162zAEXwCo4pU8pB0jqgrzCACTISC0CxXHmb08+J5c+kz589m4jnzYxF0Xu2 WTVMROVCKaYqP7LY6Sk5NZOkhKFy0J8HJaM0AjinE+Qdln6TBIsMme7lJ8xHRM+v8Z fsGLaiaRrGsR41CAfUE6cEqF8ZL7nJvCvLUWJvxhpENZnxWDWqbxAj8WGrMjdbpxdo Vt5D2J87O7gIXcC99PeSFN3PMeYwGVU62LB3I134hhfMZ7PYFdMhe2JuefHcQzlV5y PzX8d93z7PPBQ== Received: from [198.129.117.144] ([198.129.117.144]) by resomta-h1p-027908.sys.comcast.net with ESMTPSA id lYkto36gydCbRlYkuoOEbV; Thu, 20 Oct 2022 16:50:59 +0000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedvfedrfeeliedguddtgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihdpqfgfvfdppffquffrtefokffrnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpehfugguihcuoehfugguihestghomhgtrghsthdrnhgvtheqnecuggftrfgrthhtvghrnhepteegveeuhfeutddtkefgfeffgeekhfelueehudeigfehieeuvdfgtedtgeehfeehnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepudelkedruddvledruddujedrudeggeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelkedruddvledruddujedrudeggegnpdhinhgvthepudelkedruddvledruddujedrudeggedpmhgrihhlfhhrohhmpehfugguihestghomhgtrghsthdrnhgvthdpnhgspghrtghpthhtohepvddprhgtphhtthhopehgsgesuhhnihhsthhrrgdrfhhrpdhrtghpthhtohepphhfsehfrhgvvggsshgurdhorhhg X-Xfinity-VMeta: sc=-100.00;st=legit Message-ID: <4fa4e31a-449d-5b79-5d59-12de4bbd7651@comcast.net> Date: Thu, 20 Oct 2022 09:50:50 -0700 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.2 Subject: Re: logging NAT sessions (connection tracking) Content-Language: en-US To: Guy Brand , pf@freebsd.org References: From: fddi In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4MtYXZ48kJz4Hqy X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=comcast.net header.s=20190202a header.b=hE7DDr6b; dmarc=pass (policy=none) header.from=comcast.net; spf=pass (mx1.freebsd.org: domain of fddi@comcast.net designates 2001:558:fd02:2446::5 as permitted sender) smtp.mailfrom=fddi@comcast.net X-Spamd-Result: default: False [-1.00 / 15.00]; HFILTER_HELO_5(3.00)[resqmta-h1p-028592.sys.comcast.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[comcast.net,none]; R_SPF_ALLOW(-0.20)[+ip6:2001:558:fd02:2446::/64]; R_DKIM_ALLOW(-0.20)[comcast.net:s=20190202a]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:7922, ipnet:2001:558::/29, country:US]; FREEMAIL_ENVFROM(0.00)[comcast.net]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_TRACE(0.00)[comcast.net:+]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[comcast.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[comcast.net:dkim] X-ThisMailContainsUnwantedMimeParts: N thanks a lot for your answer. I would greatly appreciate to take a look at your modification if you are keen to share it. Really appreciated. Rick On 10/20/22 12:13 AM, Guy Brand wrote: > On Oct 11, 2022 at 10:53 -0700, fddi wrote: > > Hello, > >> I foudn no obvious or easy way to log NAT sessions. >> I have a bunch of NAT boxes implementd with FreeBSD 13.1 and PF. >> I need to log NAT sessions but so far I still have to figure out a good way >> to do it. >> >> I ended up using this: >> https://github.com/italovalcy/pfnattrack >> >> but I am not sure it is working well. It seems like not to be "Real time" >> and logs are delayed. >> >> Any way I could do something similar with pflog ? >> Anybody has a working solution for NAT session logging ? > We've been using pfnattrack, slightly modified, for several years now > and it does the job. It's deployed to log NAT sessions on our campus > wifi infrastructure with thousands of clients connecting every day. > I can share our modifications here if there is an interest. > > We did not found something else that would do the job (pflog based or > not). > > Regards >