Date: Wed, 12 Sep 2007 14:03:07 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-pf@freebsd.org Subject: pflog problem Message-ID: <200709121804.l8CI4wVY071879@lava.sentex.ca>
next in thread | raw e-mail | index | archive | help
On a box that got recently upgraded to current, I am having a problem reading from the pflog file. Not sure what are the "unknown" bits are, but I cant match hosts. e.g. here are the last few entries in /var/log/pflog [zoo]# tcpdump -ner /var/log/pflog | tail -10 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 13:43:33.182398 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776712857 2692640929> 13:43:35.622474 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776713101 2692640929> 13:43:40.501939 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776713589 2692640929> 13:43:43.279628 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: . ack 1 win 5840 <nop,nop,timestamp 2776713866 2692640929> 13:43:50.262294 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776714565 2692640929> 13:44:09.783308 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776716517 2692640929> 13:44:48.823375 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776720421 2692640929> 13:46:06.904224 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 <nop,nop,timestamp 2776728229 2692640929> 13:50:29.020966 rule 7/0(match): block unkn(255) on rl0: 207.231.228.166.31047 > 64.7.141.9.1026: UDP, length 365 13:52:25.229899 rule 7/0(match): block unkn(255) on rl0: 64.7.128.102.55203 > 64.7.141.9.23: S 623064939:623064939(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,times Should not the command [zoo]# tcpdump -ner /var/log/pflog host 60.12.128.147 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) [zoo]# match some of the above entries ? I see the same issue on pflog0 [zoo]# tcpdump -nei pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 13:58:38.138472 rule 7/0(match): block unkn(255) on rl0: 64.7.128.102.60319 > 64.7.141.9.23: [|tcp] ^C 1 packets captured 1 packets received by filter 0 packets dropped by kernel [zoo]# tcpdump -nei pflog0 host 64.7.128.102 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes I should see entries on the second tcpdump of pflog0, but it too does not filter it correctly. It is hitting the rule block in log on $ext_if all ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709121804.l8CI4wVY071879>