From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 06:19:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2870216A41F for ; Sat, 10 Sep 2005 06:19:18 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F46543D48 for ; Sat, 10 Sep 2005 06:19:17 +0000 (GMT) (envelope-from huzeyfe.onal@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so1329450wra for ; Fri, 09 Sep 2005 23:19:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oKTKAS5Aa4Af+cJIvhPHYWjhAKhV6lbfTKHNcvEQrfNZXTiWHqeDTDV7JTQAUKLqD4ORyljLsozpufwwZoD+0bqMEY3zG2N5haRiSsFTW/k2iQCxLX+d6sUxCmwfXDXfY2WqAQb0LQIOMFficQjHtDEn2E4TfrPP9emvVZVXB5Q= Received: by 10.54.121.9 with SMTP id t9mr980951wrc; Fri, 09 Sep 2005 23:19:16 -0700 (PDT) Received: by 10.54.122.18 with HTTP; Fri, 9 Sep 2005 23:19:16 -0700 (PDT) Message-ID: Date: Fri, 9 Sep 2005 23:19:16 -0700 From: Huzeyfe Onal To: bob self In-Reply-To: <4321FB84.7070909@charter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4321D9DF.5080206@charter.net> <200509092153.00708.max@love2party.net> <4321FB84.7070909@charter.net> Cc: freebsd-pf@freebsd.org Subject: Re: selective logging of what pf is rejecting? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: huzeyfe.onal@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 06:19:18 -0000 Hi, do you see the packets with tcpdump with -i $ext_if options?=20 #tcpdump -ttt -n -i rl0 icmp for icmp packets.. 2005/9/9, bob self : > Max Laier wrote: >=20 > >On Friday 09 September 2005 21:17, Huzeyfe Onal wrote: > > > > > >>hi, > >>you can use tcpdump to watch pf action, why it drop or accept packets. > >> > >>try to use > >>tcpdump -i pflog0 -e > >> > >> > > > >right. > > > > > > > >>ps: pflogd must be running... also read > >>http://www.openbsd.com/faq/pf/logging.html > >> > >> > > > >wrong. pflogd just records the log data to disk, no need to watch the > >livefeed. > > > > > > > >>2005/9/9, bob self : > >> > >> > >>>My pf.conf file looks something like this > >>> > >>>block in all > >>>block out all > >>>pass quick on lo0 keep state > >>>antispoof for $ext_if > >>> > >>>pass in on $ext_if from to any keep state > >>>pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/S= A > >>>keep state label "www" #apache > >>>block in on $ext_if from to any > >>> > >>>pass out on $ext_if proto tcp from any to any flags S/SA keep state = # > >>>allow any tcp setup out > >>>pass out on $ext_if proto udp all keep state # allow an= y > >>>udp out > >>> > >>>pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # > >>>allow echo request in or out, (man pf.conf:1618) > >>> > >>> > >>>Is there a way I can turn on (temporarily) logging of wht pf is not > >>>allowing to come in? Also, is there a real-time tool that > >>>will let you watch what pf if blocking from coming in? > >>> > >>>How could you just log what pf allows to get through? > >>> > >>> > > > >You can use pcap filters to get only info you are interested in. See > >tcpdump(1)::ifname ff. ... the "action" filter might be of special inte= rest > >for your question. > > > > > > > I guess that my question is really where do I put the 'log' word(s) in > pf.conf to be able to do this. > I tried adding 'log' to everything in my pf.conf to see pinging from the > outside and using tcpdump I don't see anything. > I'm using tcpdump like this: >=20 > tcpdump -l -n -e -ttt -i pflog0 >=20 >=20 >=20 --=20 Huzeyfe =D6NAL =20 --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/