Date: Fri, 07 Nov 2014 20:11:23 +0100 From: Karol Kornatka <karol@kornatka.pl> To: freebsd-pf@freebsd.org Subject: pf log with keep state Message-ID: <545D195B.2050909@kornatka.pl>
next in thread | raw e-mail | index | archive | help
Hello freebsd firewallers. I'm newbie with freebsd so please forgive me if i'm writeing funny things :) I have preaty big network (arround 2000 hosts) having connection threw freebsd router. Router is working on Dell poweredge r320 and freebsd 10. As firewall obviously pf with arround 50000 pf state current entries and 200Mbitps traffic. I need to pass and log forwarded traffic For now i'm using ruleset like this: pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from <clients-ds02> to any port $ds02_tcp_forward_services flags S/S keep state pass in quick on $ds02_int_if proto tcp from <clients-ds02> to any port $ds02_tcp_forward_services keep state pass in quick on $ds02_int_if proto udp from <clients-ds02> to any port $ds02_udp_forward_services keep state pass in quick on $ds02_int_if proto icmp from <clients-ds02> to any keep state I thought that the first line should log for me only SYN packets and pass it second - pass rest tcp no log third - pass udp no log fourth - pass icmp no log Logs are killing hdd space (4x1TB in raid10)- i'm rotating pflog files every hour and i have summary arround 10G per hour - 3G after gzip What i'm doing wrong ? firewall is logging all tcp traffic with all flags ... By the way - how to get real connection time from my logs ? 00:00:00.000158 rule 97..16777216/0(match): pass in on vlan4010: 10.210.4.14.62886 > 184.28.17.235.443: Flags [.], ack 1371, win 16425, length 0 Thanks for answers in advance. Karol
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?545D195B.2050909>