Date: Thu, 15 Jun 2017 22:22:05 +0200 From: Malte Graebner <mg@maltedoc.de> To: Mike Tancsa <mike@sentex.net>, freebsd-pf@freebsd.org Subject: Re: pf logging only no active filtering Message-ID: <2355471a-1507-d38f-41c4-7c8523b838b2@maltedoc.de> In-Reply-To: <c88d1da5-ac0f-8556-c31b-5b1da401ecee@sentex.net> References: <ce326104-b653-1839-8b2a-687a39da7188@maltedoc.de> <32bdfeef-fd4a-09d9-d811-4b4b6b24aa15@sentex.net> <f03bb685-4888-bc37-e80a-3e5751ec7d7f@maltedoc.de> <c88d1da5-ac0f-8556-c31b-5b1da401ecee@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Don't get me wrong. I get your point.
I guess when using your method, I need to put in rule by rule, to test
each "pass" rule one on its own - okay no problem. But ... :D
I also need to test a mix of 300 nat/binat/rdr rules out of 10 networks.
So the pass quick rule can't help me, because the nat rules still
getting evaluated and filtered ( rule order ) or I'm wrong ?
I'm looking for something like pfctl -vv -n -f /etc/pf.conf for the pf
set which is logging against an "virtual" rule set, what will not take
any actions except logging the theoretical action to pflog.0 .
Am 15.06.2017 um 21:47 schrieb Mike Tancsa:
> On 6/15/2017 3:32 PM, Malte Graebner wrote:
>> using quick phrase has the side effect, that Im not able to see, if
>> there are any packets that would be blocked which shouldn't, because of
>> not eval the hole ruleset ( about 500 rules ).
> I am not sure I follow, can you rephrase/state the above ? Do you mean
> the quick pass rule is not being evaluated, even if its the very first
> rule ? perhaps illustrate the condition with a minimal set of pf rules?
>
> If you dont use the pass in {rdr|binat|nat} and make the quick line the
> first line, nothing should get evaluated after the quick pass.
> Also, I would always add 'log' to all the rules when debugging, so you
> see whats actually being hit. There should not be any mysteries that way.
>
> ---Mike
>
>
>
>
>> e.g. : multiple bi directional nat rules , doing not what I expect them
>> to do. Then I can fix the ruleset, without affecting the live
>> environment. But therefore I need to process the hole ruleset, to not
>> get unhandy suprises with some rules when going live.
>>
>>
>> Am 15.06.2017 um 21:18 schrieb Mike Tancsa:
>>> On 6/15/2017 2:21 PM, Malte Graebner wrote:
>>>> Hello folks,
>>>> is there an option, to only log all stuff going on via "log" command and
>>>> without taking any action to traffic flow itself ?
>>> Perhaps
>>>
>>> pass quick log <make it specific or general as you want>
>>>
>>> ... quick matches and then no longer evals the rules.
>>>
>>> ---Mike
>>>
>>>
>>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2355471a-1507-d38f-41c4-7c8523b838b2>