Is there some way to monitor what's happening in PF?

mariourk

mariourk

I want to block any traffic from em3 to em1, to completely seperate these networks. But no matter what I try, I can't make it work. And I don't understand why. Is there some way to follow what's happening in PF, so I can see why it's allowing traffic I want to block?
 
It would've been more helpful if you explained what exactly are you trying to do, and how so far you tried to do it. PF's pflog interface allows you to monitor trough logging, among other things.
 
Enable pflog(4) in /etc/rc.conf

Code: 
pflog_enable="YES"
You might want to lower the flush time of the buffer that defaults to 60 seconds to lower value so you don't have to wait for a full minute to see what got logged
Code: 
pflog_flags="-d 10"

Start the logger:
# service pflog start

Use tcpdump(1) on the log file (the log file is binary so it's not directly readable)

# tcpdump -n -tttt -e -r /var/log/pflog

To match the rule numbers reported in the log to rules use pfctl(8):
# pfctl -sr -gv

To see active states use:
# pfctl -ss -v

Hope this helps.
 
bbzz said:
It would've been more helpful if you explained what exactly are you trying to do, and how so far you tried to do it. PF's pflog interface allows you to monitor trough logging, among other things.
Click to expand...

My FreeBSD machine is connected to multiple networks and acts a a router/gateway between them. I want to block any traffic from em3 to em0, so it's impossible to connect to anything on the em0_network, from the em3_network.

I tried several rules, like this one.
Code: 
block out quick log on $em3_if from $em3_if to $em0_if

The syntax is correct and it should work. But I'm still able to connect to hosts on the em0_network, from em3_network. When I log this rule, I see nothing appear in the logs, so apparently it's not triggered.
 
The macros $emx_if expand to single addresses so you're only blocking traffic originating from interface $em3_if itself, you need to use $em3_if:network to specify the whole network connected to interface
$em3_if.

I would block on incoming traffic, like this:

Code: 
block in quick log on $em3_if from $em3_if:network to $em0_if:network
 
mariourk said:
Code: 
block out quick log on $em3_if from $em3_if to $em0_if

The syntax is correct and it should work.
Click to expand...

No it isn't. It should be block in on your em3 interface, since this is how packets enter router.
 
You must log in or register to reply here.
Back
Top