Ok, ok, I'll reply to my own post...
> It is not a "realtime" logger? I can see a bunch of log
> entrys only every 5-10 minutes on the remote syslog system
> and the web pages.
>
> And on the pfSense system pflogd is running with
> "-s 2147483647" as snaplen (2 GB?).
I tried the following patch for /etc/inc/filter.inc:
52c52
< mwexec("/sbin/ifconfig pflog0 up && pflogd -sD");
---
> mwexec("/sbin/ifconfig pflog0 up && pflogd");
54c54
< mwexec_bg("/usr/sbin/tcpdump -n -e -ttt -i pflog0 | logger -t pf -p
local0.info");
---
> mwexec_bg("/usr/sbin/tcpdump -l -n -e -ttt -i pflog0 | logger -t pf -p
> local0.info");
Now the packet filter logs (nearly) realtime to my syslog host.
And the snaplen shows now 116 byte.
<-- snip -->
266 ?? Is 0:00.00 pflogd: [priv] (pflogd)
269 ?? S 0:00.02 pflogd: [running] -s 116 -f /var/log/pflog (pflogd)
268 con- S 0:00.03 /usr/sbin/tcpdump -l -n -e -ttt -i pflog0
<-- snip -->
Is there any reason not to start pflogd/tcpdump in such way?
> BTW: I also can't traceroute to the firewall wan-interface,
> ping is OK. Rules for ACCESS UDP are added. Thera are no
> log entry for these packets.
Any thougt, why traceroute is not working? I enebled UDP
port 33465:33495 (30 hops), enabled ICMP "time exceeded"
but pfSense don't respond... Even when I allow all ICMP,
there is no response....
Regards,
Michael
