selective logging of what pf is rejecting?

Max Laier max at love2party.net
Fri Sep 9 12:53:05 PDT 2005 

On Friday 09 September 2005 21:17, Huzeyfe Onal wrote:
> hi,
> you can use tcpdump to watch pf action, why it drop or accept packets.
>
> try to use
> tcpdump -i pflog0 -e

right.

> ps: pflogd must be running... also read
> http://www.openbsd.com/faq/pf/logging.html

wrong.  pflogd just records the log data to disk, no need to watch the 
livefeed.

> 2005/9/9, bob self <bobself at charter.net>:
> > My pf.conf file looks something like this
> >
> > block in all
> > block out all
> > pass quick on lo0 keep state
> > antispoof for $ext_if
> >
> > pass in on $ext_if from <goodguys> to any keep state
> > pass in log on $ext_if proto tcp from any to $ext_if port 80 flags S/SA
> > keep state label "www"        #apache
> > block in on $ext_if from <badguys> to any
> >
> > pass out on $ext_if proto tcp from any to any flags S/SA keep state    #
> > allow any tcp setup out
> > pass out on $ext_if proto udp all keep state                # allow any
> > udp out
> >
> > pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state    #
> > allow echo request in or out, (man pf.conf:1618)
> >
> >
> > Is there a way I can turn on (temporarily) logging of wht pf is not
> > allowing to come in? Also, is there a real-time tool that
> > will let you watch what pf if blocking from coming in?
> >
> > How could you just log what pf allows to get through?

You can use pcap filters to get only info you are interested in.  See 
tcpdump(1)::ifname ff.  ... the "action" filter might be of special interest 
for your question.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050909/fefb782e/attachment.bin

More information about the freebsd-pf mailing list