PF pflog dont working

wolffnx

wolffnx

Hi, I have this in /etc/rc.conf

Code: 
pf_enable="YES"
pf_rules="/root/firewall"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

When I run tcpdump -n -e -ttt -i pflog0 I can see the PF logs perfectly but when I want to read the log with tcpdump -n -e -ttt -r /var/log/pflog there is nothing there. Except "reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)

Any clues?

FreeBSD 11.1
 
Last edited by a moderator:
First; keep in mind that pflog_logfile is already defined in /etc/defaults/rc.conf so you don't need to specify it: it's used by default.

How big is /var/log/pflog on your end?

I can somewhat reproduce your problem. I've also set up logging, but mostly for pfctl purposes:

Code: 
Interface Stats for bge1              IPv4             IPv6
  Bytes In                      2291323902                0
  Bytes Out                     1761328172                0
  Packets In
    Passed                         5873991                0
    Blocked                          85602                0
  Packets Out
    Passed                         7089566                0
    Blocked                          15640                0
I've also explicitly used set loginterface $ext_if in my setup.

But indeed: despite logging being in effect and despite several blocked packets my /var/log/pflog file is only 24bytes. So non-existent.

And I just solved it (I'm usually studying while writing), see also pf.conf(5):

Code: 
     log   In addition to the action specified, a log message is generated.
           Only the packet that establishes the state is logged, unless the no
           state option is specified.  The logged packets are sent to a
           pflog(4) interface, by default pflog0.  This interface is monitored
           by the pflogd(8) logging daemon, which dumps the logged packets to
           the file /var/log/pflog in pcap(3) binary format.
So: you need an explicit rule in your firewall configuration which tells it to log those specific packets, and I think you don't have that. PF uses logging in two ways: if you set up a log interface then it will gather statistics and such which are then shown using # pfctl -s info, but if you need to actually log packets you need a specific rule.

For example: block log on $ext_if (I'm always using macros):
Code: 
peter@breve:/etc# pfctl -s rules | grep log
block drop log on bge1 all
Hope this can help!

(edit)

Well, I've just added the above rule to my configuration and what do you know...

Code: 
peter@breve:/var/log# tcpdump -r /var/log/pflog | wc -l
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
      23
I'm positive that this is the solution to your problem :)
 
ShelLuser said:
First; keep in mind that pflog_logfile is already defined in /etc/defaults/rc.conf so you don't need to specify it: it's used by default.

How big is /var/log/pflog on your end?

I can somewhat reproduce your problem. I've also set up logging, but mostly for pfctl purposes:

Code: 
Interface Stats for bge1              IPv4             IPv6
  Bytes In                      2291323902                0
  Bytes Out                     1761328172                0
  Packets In
    Passed                         5873991                0
    Blocked                          85602                0
  Packets Out
    Passed                         7089566                0
    Blocked                          15640                0
I've also explicitly used set loginterface $ext_if in my setup.

But indeed: despite logging being in effect and despite several blocked packets my /var/log/pflog file is only 24bytes. So non-existent.

And I just solved it (I'm usually studying while writing), see also pf.conf(5):

Code: 
     log   In addition to the action specified, a log message is generated.
           Only the packet that establishes the state is logged, unless the no
           state option is specified.  The logged packets are sent to a
           pflog(4) interface, by default pflog0.  This interface is monitored
           by the pflogd(8) logging daemon, which dumps the logged packets to
           the file /var/log/pflog in pcap(3) binary format.
So: you need an explicit rule in your firewall configuration which tells it to log those specific packets, and I think you don't have that. PF uses logging in two ways: if you set up a log interface then it will gather statistics and such which are then shown using # pfctl -s info, but if you need to actually log packets you need a specific rule.

For example: block log on $ext_if (I'm always using macros):
Code: 
peter@breve:/etc# pfctl -s rules | grep log
block drop log on bge1 all
Hope this can help!

(edit)

Well, I've just added the above rule to my configuration and what do you know...

Code: 
peter@breve:/var/log# tcpdump -r /var/log/pflog | wc -l
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
      23
I'm positive that this is the solution to your problem :)
Click to expand...

Yes, indeed, for example I had some forwarded ports (3389) to various Windows desktops from outside, and beside the logs in the Windows machines I want to have some log from from-who-to-what and vice versa, I made it with this:

Code: 
rdr pass log(all) on $ext_if proto tcp from any to any port 2323 -> 192.168.xxx.xxx port 3389

and with tcpdump -n -e -ttt -r /var/log/pflog port 2323 I made it. This is the beginning, the next step is to make a cronjob that collect that information and save it to a personal log file :D
 
You must log in or register to reply here.
Back
Top