Date: Sun, 23 Jun 2013 00:55:00 +0200 From: Nikos Vassiliadis <nvass@gmx.com> To: Stan Gammons <s_gammons@charter.net> Cc: freebsd-pf@freebsd.org Subject: Re: Was Re: PF bugs now PF reporting utility Message-ID: <51C62B44.1030902@gmx.com> In-Reply-To: <1371933661.1707.7.camel@localhost> References: <1371865788.22524.9.camel@localhost> <CAOmxWMXfKyr5gjQUpqqraTVaLJ3XOFNK7P040FPOCSaMGigXdA@mail.gmail.com> <51C5F242.1010608@gmx.com> <1371933661.1707.7.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/22/2013 10:41 PM, Stan Gammons wrote:
> On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote:
>> It seems that people think that pf is unmaintained.
>> Quite a disheartening thing for the person that did the hard work
>> to create the smp-friendly pf in FreeBSD-10...
>
> My apologies Nikos for thinking PF is not maintained.
I didn't want to make anybody apologize.
I just wanted to add that pf in freebsd is not bad or inferior
compared to the newer pf in openbsd. To some people the performance
gain by smp-pf might be considered more useful than pf.conf
compatibility between different OSes. Other people might need
rdomains and all the other things the freebsd version doesn't have...
Things are just different for quite a while now and they are growing
even more differently. The fork happened for a reason or perhaps for
a lot of reasons.
> I was hoping others here could point me to a sysutil that generates
> reports for PF like Lire does for IPFilter and etc. I had started work
> on modifying one of the existing Lire dlf converters that would would
> work with a PF log file that had been first processed through tcpdump.
> But, I couldn't figure out the format tcpdump uses, so I haven't made
> much progress. Can someone here help with the format tcpdump uses on
> FreeBSD or point me in the right direction?
>
Unfortunately there is no support for pf in lire. OTOH it looks
simple enough to hack a custom filter in awk maybe? (sorry i possess
no perl powers)
> root@lab:/var/log # tcpdump -nlttttei pflog0 | awk '{ if ($5 == "block") $5 = "b"; print $1,$2,"hostname","PID", $2,$4,$5,$8,$9,$11 }'
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
> 2013-06-23 01:12:24.210634 hostname PID 01:12:24.210634 0..16777216/0(match): b bridge0: 192.168.65.1.60491 192.168.65.11.23:
> 2013-06-23 01:12:28.016297 hostname PID 01:12:28.016297 0..16777216/0(match): b bridge0: 192.168.65.1.40719 192.168.65.12.23:
> 2013-06-23 01:12:53.307795 hostname PID 01:12:53.307795 0..16777216/0(match): b bridge0: 192.168.65.13.11451 192.168.65.11.23:
> 2013-06-23 01:12:55.781513 hostname PID 01:12:55.781513 0..16777216/0(match): b bridge0: 192.168.65.13.62921 192.168.65.12.23:
The output format I did here is not correct but with a bit of work
you could come up with something that looks like a IPFilter log.
HTH, Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51C62B44.1030902>