Date: Sat, 14 Nov 2009 00:27:50 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Stephane D'Alu" <sdalu@sdalu.com> Cc: net@freebsd.org Subject: Re: pf & tcpdump Message-ID: <20091113235940.L58089@sola.nimnet.asn.au> In-Reply-To: <4AFD5635.3080104@sdalu.com> References: <4AFD4632.5090207@sdalu.com> <20091113230319.R58089@sola.nimnet.asn.au> <4AFD5635.3080104@sdalu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Nov 2009, Stephane D'Alu wrote:
> On 13/11/2009 13:08, Ian Smith wrote:
> > On Fri, 13 Nov 2009, Stephane D'Alu wrote:
> > > Is there a way to have tcpdump only showing packed that have pass the
> > > filtering rules, so to check that firewall rules were correctly
> > written and
> > > not letting unwanted packets in.
> >
> > tcpdump sees packets before they're passed to the firewall coming in,
> > and after the firewall going out. Lack of response to inbound packets
> > that the firewall is supposed to block is usually a good sign ..
> >
> > Easiest way to see firewall rules are working is to add logging to them.
> >
>
> So if I understand correctly, there is no way in tcpdump to only select the
> packets "going out after the firewall"
Not sure I'm following you; thought you were referring to incoming
packets above? From tcpdump(1):
dir qualifiers specify a particular transfer direction to and/or from id.
Possible directions are src, dst, src or dst and src and dst. E.g.,
`src foo', `dst net 128.3', `src or dst port ftp-data'. If there is
no dir qualifier, src or dst is assumed.
all packets "going out after the firewall" on an interface are visible,
you can filter to those you're looking for. Or do I miss your meaning?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091113235940.L58089>