How to prevent FS overflow due to excessive logging?
Tobias Ernst
tobi at casino.uni-stuttgart.de
Wed Nov 14 11:38:36 PST 2007
David DeSimone schrieb:
>> I do not want to disable UDP logging generally - after all I want to be
>> told when things like this happen.
> If you put "keep state" on your drop+log rule, PF will only log the
> first packet that gets dropped, which reduces logging considerably.
I thought about this, but
block in log from any to any keep state
gives me
pf.conf:266: keep state on block rules doesn't make sense
and the rule is skipped (6.2, maybe this has changed in 7?).
> However, you will not be alerted to the fact that millions of packets
> are being sent, in this scenario, so you would have to detect that via
> other means.
That's not a problem.
By the way, these turned out to be harmless multicast packets from a
remote software installation process that should have been silently
dropped, but I had the wrong netmask (/24 instead of /4) in my
"multicast silent drop" rule.
Regards
Tobias
--
Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT
70174 Stuttgart Geschwister-Scholl-Straße 24D
T +49 (0)711 121-4228 F +49 (0)711 121-4276
E office at casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de
More information about the freebsd-pf
mailing list