From owner-freebsd-pf@FreeBSD.ORG Fri Nov 7 19:11:23 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C221A435 for ; Fri, 7 Nov 2014 19:11:23 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5AF2DE50 for ; Fri, 7 Nov 2014 19:11:22 +0000 (UTC) Received: from [192.168.1.39] (et.uni.lodz.pl [212.191.69.197]) by mrelayeu.kundenserver.de (node=mreue105) with ESMTP (Nemesis) id 0LvkQW-1Y5jsF0W68-017RIp; Fri, 07 Nov 2014 20:11:15 +0100 Message-ID: <545D195B.2050909@kornatka.pl> Date: Fri, 07 Nov 2014 20:11:23 +0100 From: Karol Kornatka User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: pf log with keep state Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:Ffe44Ek6Gb3UFjfgdN1W7srdKlbdeXMNKQU41qeBmn0 YVLkxO3k3ZkhwPXQF0LwU8TOKbBFrJkt8h6k6ICqqGRHIMlLKm IwLc8OkLQ/bBBXoiA6SfVRAiwSLpcWXruy8dYRGYCE0ha0T02u 8kN2Cx8oYmpSKPPgGzXH582TxFfXfyS1yOdZppp2yb55uMb+OF kQHJUhYbRkPzQ8eNncwFufMbleeIf15Zpy+bqkg9FrhkLUdl8n zUpAjF93BcmZCbsojeJEjornlhT7BakpwzLeVuKBsFx5vc6VaI fOL7KxCx9TZ+TTUedKdvyPJ+yQLMyY1Ex0AwC56Kx8ApaAeU7r ZzEcgGx9BiO2k7Qztbq4= X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 19:11:23 -0000 Hello freebsd firewallers. I'm newbie with freebsd so please forgive me if i'm writeing funny things :) I have preaty big network (arround 2000 hosts) having connection threw freebsd router. Router is working on Dell poweredge r320 and freebsd 10. As firewall obviously pf with arround 50000 pf state current entries and 200Mbitps traffic. I need to pass and log forwarded traffic For now i'm using ruleset like this: pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from to any port $ds02_tcp_forward_services flags S/S keep state pass in quick on $ds02_int_if proto tcp from to any port $ds02_tcp_forward_services keep state pass in quick on $ds02_int_if proto udp from to any port $ds02_udp_forward_services keep state pass in quick on $ds02_int_if proto icmp from to any keep state I thought that the first line should log for me only SYN packets and pass it second - pass rest tcp no log third - pass udp no log fourth - pass icmp no log Logs are killing hdd space (4x1TB in raid10)- i'm rotating pflog files every hour and i have summary arround 10G per hour - 3G after gzip What i'm doing wrong ? firewall is logging all tcp traffic with all flags ... By the way - how to get real connection time from my logs ? 00:00:00.000158 rule 97..16777216/0(match): pass in on vlan4010: 10.210.4.14.62886 > 184.28.17.235.443: Flags [.], ack 1371, win 16425, length 0 Thanks for answers in advance. Karol