> https://man.openbsd.org/pflow.4
> On Wed, Mar 28, 2018 at 4:03 PM, 3 <ba...@yandex.ru> wrote: >> On 03/28/18 15:04, 3 wrote: >>> hi guys. when the pflow option first appeared, i was surprised by the >>> stupidity of those who implemented it- pflow could not be specified >>> for block-rules, i.e. dropped packets were not taken into account. as >> hm. you've suffered nine years of this stupidity of others but have not >> been able to add labels to your block rules? >> Just as an experiment I added labels to the block rules on my >> most-easily-reachable-from-here gateway, as in >> block log (all) label blockgen >> block drop log (all) quick from <portalbrutes> label portalbrutes >> block drop log (all) quick from <abusives> label abusives >> block drop log (all) quick from <webtrash> label webtrash >> block drop log (all) quick from <bruteforce> label bruteforce >> block drop log (all) quick from <longterm> label longterm >> block in log (all) on ! lo0 proto tcp to port 6000:6010 label remotex11 >> and voila, pfctl -sl gives me after a few minutes >> [Wed Mar 28 16:15:29] peter@skapet:~$ sudo pfctl -vsl >> blockgen 3739 452 19856 448 19664 4 192 0 >> portalbrutes 3739 0 0 0 0 0 0 0 >> abusives 3739 301 14681 301 14681 0 0 0 >> webtrash 3438 0 0 0 0 0 0 0 >> bruteforce 3438 0 0 0 0 0 0 0 >> longterm 3438 0 0 0 0 0 0 0 >> remotex11 3438 0 0 0 0 0 0 0 >> man pf.conf is your friend, please consult there before letting >> resentment stew for years next time, huh? > maybe im so dumb and blind to see pflow here.. and maybe deal not in > me. where is pflow? continue your thought. we have the output of the pfctl -vsl command, which in this form is useless, since the output is needed in the netflow format. there is a man pflow - one piece(its not clear why we need it if we abandoned the pflow and went to the output of pfctl -vsl). how do cooking a netflow stream from this?
