Date: Tue, 10 May 2011 18:45:08 +0200 From: Nicolas GRENECHE <nicolas.greneche@gmail.com> To: freebsd-pf@freebsd.org Subject: Filtering on a sensor dedicated interface Message-ID: <BANLkTimd5=wzH7dLKKb98jKR3Bmix%2Bx3SQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, We are currently experimenting a way of capturing packets of supposed compromised hosts with PF. So my question may seem to be a bit odd. I have two interfaces em0 and em1 connected to a network TAP. Running tcpdump on each show me dumped packets, no problems. Those two interfaces are configured like this in rc.conf : ifconfig_em0="promisc -arp up" ifconfig_em1="promisc -arp up" Loading rules : sondedi# pfctl -f /etc/pf.conf.local No ALTQ support in kernel ALTQ related functions disabled Showing rules : sondedi# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled pass log on em0 inet from any to X.X.X.X no state pass log on em1 inet from any to X.X.X.X no state Now if i try to ssh to X.X.X.X, the pflog interface say nothing : sondedi# tcpdump -netti pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes Rule doesn't seem to be matched. But a tcpdump tells everything : sondedi# tcpdump -netti em0 dst port 22 and dst host X.X.X.X tcpdump: WARNING: em0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes SOME PACKETS ... Regarding tcpdump, packets seems to go through the interface. Why does pf doesn't see them ? Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTimd5=wzH7dLKKb98jKR3Bmix%2Bx3SQ>