From owner-freebsd-pf@FreeBSD.ORG Wed Sep 12 18:21:37 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6484B16A41A for ; Wed, 12 Sep 2007 18:21:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 0A20713C458 for ; Wed, 12 Sep 2007 18:21:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id l8CI4xuZ063456 for ; Wed, 12 Sep 2007 14:04:59 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id l8CI4wVY071879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 12 Sep 2007 14:04:59 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200709121804.l8CI4wVY071879@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 12 Sep 2007 14:03:07 -0400 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: pflog problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 18:21:37 -0000 On a box that got recently upgraded to current, I am having a problem reading from the pflog file. Not sure what are the "unknown" bits are, but I cant match hosts. e.g. here are the last few entries in /var/log/pflog [zoo]# tcpdump -ner /var/log/pflog | tail -10 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 13:43:33.182398 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:43:35.622474 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:43:40.501939 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:43:43.279628 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: . ack 1 win 5840 13:43:50.262294 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:44:09.783308 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:44:48.823375 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:46:06.904224 rule 4/0(match): block unkn(255) on rl0: 60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win 5840 13:50:29.020966 rule 7/0(match): block unkn(255) on rl0: 207.231.228.166.31047 > 64.7.141.9.1026: UDP, length 365 13:52:25.229899 rule 7/0(match): block unkn(255) on rl0: 64.7.128.102.55203 > 64.7.141.9.23: S 623064939:623064939(0) win 65535 64.7.141.9.23: [|tcp] ^C 1 packets captured 1 packets received by filter 0 packets dropped by kernel [zoo]# tcpdump -nei pflog0 host 64.7.128.102 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes I should see entries on the second tcpdump of pflog0, but it too does not filter it correctly. It is hitting the rule block in log on $ext_if all ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike