I've been converting from my age-old IPFILTER ruleset to PF. Aside from FreeBSD's old version (which should be noted in the man page, not just the handbook), PF is rather flexible and nice.
I've been watching the logs to make sure I converted things correctly. Unfortunately there seems to be a big problem with the tcpdump output of pflog, namely that there seems no way to view the pre-natted IP address of a blocked request.
For example I disallow outgoing packets to the Microsoft Teredo IPv6 proxy. In IPFILTER the logs show the natted host trying to send a packet outwards:
But with PF the original IP address is lost:
Is there a way to display the address of the natted host as with IPFILTER? (Other than, of course, writing a whole set of duplicate rules on my internal interface blocking requests prior to the NAT on the external interface.)
I've been watching the logs to make sure I converted things correctly. Unfortunately there seems to be a big problem with the tcpdump output of pflog, namely that there seems no way to view the pre-natted IP address of a blocked request.
For example I disallow outgoing packets to the Microsoft Teredo IPv6 proxy. In IPFILTER the logs show the natted host trying to send a packet outwards:
Code:
Jul 24 23:13:28 myfirewall ipmon[876]: 23:13:28.010715 sk0 @0:1 b nattedhost[10.12.12.25],52877 -> 94.245.121.251,3544 PR udp len 20 89 OUT
But with PF the original IP address is lost:
Code:
15:19:08.557680 IP myfirewall.domain.com.62199 > 94.245.121.253.3544: UDP, length 61
Is there a way to display the address of the natted host as with IPFILTER? (Other than, of course, writing a whole set of duplicate rules on my internal interface blocking requests prior to the NAT on the external interface.)