Date: Tue, 4 Apr 2006 12:22:58 -0500 From: "Bill Marquette" <bill.marquette@gmail.com> To: "husnu demir" <hdemir@metu.edu.tr> Cc: freebsd-pf@freebsd.org Subject: Re: Log tag Message-ID: <55e8a96c0604041022t5026422as6be2967fd2fbe494@mail.gmail.com> In-Reply-To: <20060404132253.GA3293270@metu.edu.tr> References: <1144132192.47587.8.camel@siseci.gdg.gov.tr> <55e8a96c0604040501y719b4241ue9d989263797c8dc@mail.gmail.com> <55e8a96c0604040610s6be12570m77293780b0c0e7c5@mail.gmail.com> <20060404132253.GA3293270@metu.edu.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/4/06, husnu demir <hdemir@metu.edu.tr> wrote: > > On Tue, Apr 04, 2006 at 08:10:30AM -0500, Bill Marquette wrote: > > On 4/4/06, Bill Marquette <bill.marquette@gmail.com> wrote: > > > On 4/4/06, N. Ersen SISECI <siseci@gmail.com> wrote: > > > > > > > > > > > > Hi, > > > > > > > > Is it possible to label the log entries? > > > > We can do it in IPF with set-tag (log=3D48). > > > > Is there a similiar method in PF? > > > > > > > > > > > > IPF Rule: > > > > pass in log first quick on bge0 proto tcp from any to 10.1.2.3 port= =3D 22 > > > > flags S/SA keep state keep frags set-tag (log=3D110) > > > > > > > > IPF Log entry: > > > > 04/04/2006 09:26:00.982095 bge0 @0:3 p 10.1.2.3,57221 -> > > > > 192.168.90.12,22 PR tcp len 20 64 -S K-S K-F OUT log-tag 110 > > > > > > The "label" keyword is what you want (and gives you a plain text > > > description instead of number?!?!?! ouch). > > > > > > pass in log from foo to bar label "foo to bar rule" > > > > It's early...this was incorrect advice. The labels only show in pfctl > > -sr, not in /dev/pflog0. I'm not sure if there's a way to make this > > show up in /dev/pflog0. > > > does "tcpdump -ttt -e -i pflog0 -n" show the rule number. so this may be = used as label :) At least I get used that info extensively. It does and can be used for correlation (in conjunction with pfctl -sr)...up until the rules change :) But outside of (relatively easy) scripting, the info isn't supplied in a single place. --Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c0604041022t5026422as6be2967fd2fbe494>