Logging With PF

The more I fiddle with OpenBSD Packet Filter (PF), the more I like the way it works when compared to its peers like iptables, ipchains, ipfw and ipf.

Today, I wanted to add logging for all the block rules that I had to track down something. Add a “block in log all label “block-all”” rule and turn on the pflogd service. This dumps all the block log data via pflog0 device and also writes the same to /var/log/pflog in the tcpdump binary logging format.

You can then invoke tcpdump (with all its powerful expression matching features) on -i pflog0 to dump data in real time or use tcpdump -r on the log file for the entire session saved so far.

Also, the concept of assigning labels makes it much easier to understand which rule is being hit for a packet. Assign all rules a “label” and then do pftop -v label.

https://shankerbalan.net/wiki/index.php/FreeBSD_Afterinstall#Security_And_Firewall


There is also a SNMP module for pf(4) already in the base system. See /etc/snmpd.config and /usr/share/snmp/mibs/BEGEMOT-PF-MIB.txt.

begemotSnmpdModulePath.”pf” = “/usr/lib/snmp_pf.so”

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.