From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 19:38:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4256B16A41A for ; Wed, 14 Nov 2007 19:38:36 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from charybdis.rus.uni-stuttgart.de (charybdis.rus.uni-stuttgart.de [129.69.1.58]) by mx1.freebsd.org (Postfix) with ESMTP id C23E613C481 for ; Wed, 14 Nov 2007 19:38:35 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from localhost (localhost [127.0.0.1]) by charybdis.rus.uni-stuttgart.de (Postfix) with ESMTP id 0634336371A for ; Wed, 14 Nov 2007 20:38:33 +0100 (CET) X-Virus-Scanned: by amavisd-new at charybdis.rus.uni-stuttgart.de X-Spam-Flag: NO X-Spam-Score: -2.284 X-Spam-Level: X-Spam-Status: No, score=-2.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_MILLIONSOF=0.315] Received: from charybdis.rus.uni-stuttgart.de ([127.0.0.1]) by localhost (charybdis.rus.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id t-fwOWBrgL4r for ; Wed, 14 Nov 2007 20:38:31 +0100 (CET) Received: from mail.casino.uni-stuttgart.de (dame.casino.uni-stuttgart.de [141.58.158.2]) by charybdis.rus.uni-stuttgart.de (Postfix) with ESMTP id 4DD87362B2C for ; Wed, 14 Nov 2007 20:38:24 +0100 (CET) Received: from [127.0.0.1] (herr.casino.uni-stuttgart.de [141.58.158.1]) by mail.casino.uni-stuttgart.de (Postfix) with ESMTP id E0438340F65 for ; Wed, 14 Nov 2007 20:38:23 +0100 (CET) Message-ID: <473B4E9E.2040004@casino.uni-stuttgart.de> Date: Wed, 14 Nov 2007 21:38:06 +0200 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <473B2006.8050000@casino.uni-stuttgart.de> <20071114173359.GO6168@verio.net> In-Reply-To: <20071114173359.GO6168@verio.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: How to prevent FS overflow due to excessive logging? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 19:38:36 -0000 David DeSimone schrieb: >> I do not want to disable UDP logging generally - after all I want to be >> told when things like this happen. > If you put "keep state" on your drop+log rule, PF will only log the > first packet that gets dropped, which reduces logging considerably. I thought about this, but block in log from any to any keep state gives me pf.conf:266: keep state on block rules doesn't make sense and the rule is skipped (6.2, maybe this has changed in 7?). > However, you will not be alerted to the fact that millions of packets > are being sent, in this scenario, so you would have to detect that via > other means. That's not a problem. By the way, these turned out to be harmless multicast packets from a remote software installation process that should have been silently dropped, but I had the wrong netmask (/24 instead of /4) in my "multicast silent drop" rule. Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de