Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Sep 2004 18:51:34 -0000 (GMT)
From:      "Hugo Silva" <klr@6s-gaming.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf not logging on 5.3-BETA3 ?
Message-ID:  <61210.81.84.174.8.1095447094.squirrel@81.84.174.8>
In-Reply-To: <61203.81.84.174.8.1095446951.squirrel@81.84.174.8>
References:  <58653.81.84.174.8.1095267239.squirrel@81.84.174.8>    <4149C2E0.6000902@dequim.ist.utl.pt> <4149E738.8090300@veldy.net>    <200409162125.26588.max@love2party.net> <61203.81.84.174.8.1095446951.squirrel@81.84.174.8>

next in thread | previous in thread | raw e-mail | index | archive | help

>> On Thursday 16 September 2004 21:19, Thomas T. Veldhouse wrote:
>>> Bruno Afonso wrote:
>>> > Thomas T. Veldhouse wrote:
>>> >> Max Laier wrote:
>>> >>> Okay, have you guys read UPDATING?
>>> >>
>>> >> Yes, but it is from a BETA3 install ... so the user/group was
>>> already
>>> >> their.  Besides, installworld will fail unless this group is added
>>> >> first.
>>> >
>>> > Did you do "mergemaster -p" ?
>>>
>>> Yes.  But like I said, it is not required to move from 5.3-BETA3 to
>>> RELENG_5 as the changes in master.passwd and group are already there.
>>> If they were not, an installworld would fail because the chown or chgrp
>>> commands fail trying to set the user or group to _pflogd or authpf
>>> (group).
>>>
>>> In any event, my passwd and group file are indeed up to date and
>>> /var/log/pflog broken (no logging taking place).
>>>
>>> fuggle# ps aux | grep pf
>>> root      340  0.0  0.3  1584  612  ??  Ss    3:05PM   0:00.01 pflogd:
>>> [priv] (
>>> _pflogd   343  0.0  0.3  1648  652  ??  S     3:05PM   0:11.14 pflogd:
>>> [running
>>> root    21395  0.0  0.1   440  224  p1  R+    2:18PM   0:00.00 grep pf
>>
>> Are you sure that you have logging rules in place? And are you sure that
>> these
>> rules are matched? Please attach the output of "$pfctl -vvsr" if in
>> doubt.
>>
>

Yep, I can follow the log with my pflog script:

[root@evilreborn:/home/klr]# pflog
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
2. 827601 rule 7/0(match): block out on rl1: IP X.X.X.X.61201 >
66.35.250.150.6060: S 1604621353:1604621353(0) win 65535 <mss
1460,nop,wscale 1,[|tcp]>
(ip blocked out)

[workstation:
[killer@europa:/home/killer/] telnet slashdot.org 6060
Trying 66.35.250.150...
]

The script (very simple):

[root@evilreborn:/home/klr]# cat `which pflog`
tcpdump -n -e -ttt -i pflog0

This ensures logging rules are there, but anyway:

[root@evilreborn:/home/klr]# grep log /etc/pf.conf
block in log on $net proto { tcp,udp,icmp }
block out log on $net proto { tcp,udp,icmp }

 Also, are you using the module or did you build pf into your kernel
 directly?

Compiled directly into the kernel, device pf/pflog/pfsync, all ALTQ
options:
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queueing
options         ALTQ_RED        # Random Early Drop
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler
options         ALTQ_CDNR       # Traffic conditioner
options         ALTQ_PRIQ       # Priority Queueing
options         ALTQ_NOPCC      # Required for SMP build
options         ALTQ_DEBUG

device          pf              # Packet Filter
device          pfsync
device          pflog



 Did you put in "device pflog" as well? What does "$ifconfig pflog0" say?

[root@evilreborn:/home/klr]# ifconfig pflog0
pflog0: flags=41<UP,RUNNING> mtu 33208


If more info is needed, let me know. I don't think this is an obvious
mistake of me (altough it could be, I haven't looked to this problem in
the last days, must take some time to look more carefully at it).

As a reminder, the system is:
FreeBSD evilreborn 5.3-BETA3 FreeBSD 5.3-BETA3 #0: Wed Sep 15 19:18:51
WEST 2004     klr@evilreborn:/usr/src/sys/i386/compile/evilreborn53-kernel
 i386


>>
>> --
>> /"\  Best regards,                      | mlaier@freebsd.org
>> \ /  Max Laier                          | ICQ #67774661
>>  X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
>> / \  ASCII Ribbon Campaign              | Against HTML Mail and News
>>

Best Regards,

Hugo



-- 
www.6s-gaming.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61210.81.84.174.8.1095447094.squirrel>