pf & tcpdump

[Ian Smith]

On Fri, 13 Nov 2009, Stephane D'Alu wrote:
 > On 13/11/2009 13:08, Ian Smith wrote:
 > > On Fri, 13 Nov 2009, Stephane D'Alu wrote:
 > >   >  Is there a way to have tcpdump only showing packed that have pass the
 > >   >  filtering rules, so to check that firewall rules were correctly
 > > written and
 > >   >  not letting unwanted packets in.
 > > 
 > > tcpdump sees packets before they're passed to the firewall coming in,
 > > and after the firewall going out.  Lack of response to inbound packets
 > > that the firewall is supposed to block is usually a good sign ..
 > > 
 > > Easiest way to see firewall rules are working is to add logging to them.
 > > 
 > 
 > So if I understand correctly, there is no way in tcpdump to only select the
 > packets "going out after the firewall"

Not sure I'm following you; thought you were referring to incoming 
packets above?  From tcpdump(1):

dir    qualifiers specify a particular transfer direction to and/or from id.
       Possible directions are src, dst, src or dst and src and dst.  E.g.,
       `src foo', `dst net  128.3', `src or dst port ftp-data'.  If there is
       no dir qualifier, src or dst is assumed.

all packets "going out after the firewall" on an interface are visible, 
you can filter to those you're looking for.  Or do I miss your meaning?

cheers, Ian