> On 03/28/18 22:03, 3 wrote: >> maybe im so dumb and blind to see pflow here.. and maybe deal not in >> me. where is pflow?
> pflow gets the data it exports from the state table. > Blocked connections do not create state table entries. > This means that pflow does not have the information you're looking for. > You can still get detailed information about blocked connection > attempts, in the aggregate via labels as I showed you, or from pflog. > You could even have your block rules logged to a separate pflog interface. > Others have alredy pointed you at other alternatives. Obsessing about > pflow unfortunately isn't going to get you anywhere. Exploring the other > options might. i accept your challenge! ^^ but first i will describe my scheme of pf.conf(this is important): block all # default block match from (self) tag PASS # default output match bla-bla1 to (self) tag PASS match bla-bla2 to (self) tag PASS .. match bla-blaN to (self) tag PASS match from lan:network tag PASS # its actually an anchor here, loadable from match to lan:network tag PASS # another file, but it does not matter match out on egress inet from !(self) tagged PASS nat-to (egress) # nat pass quick tagged PASS # one(no other) final pass -- in this place we have all the packets that were not accepted and that will be later blocked by the default block. -- we need only those who entered on egress(pppoe0 for me): pass in quick on pppoe0 all route-to(vether0 10.0.0.1) keep state (pflow) # any fake inteface is here -- now all these packets selected by us get back to the entrance of the rules(before default block). -- we can leave them as they are, but its better to delete them: block quick on vether0 # need to place as the first rule -- lets see what we have got if enable logging: Mar 29 20:42:46.984161 rule 92/(match) [uid 0, pid 54243] pass in on pppoe0: 24.201.182.114.46574 > 188.235.31.7.36824: [udp sum ok] udp 20 [tos 0x70] (ttl 53, id 5542, len 48) Mar 29 20:42:46.984176 rule 0/(match) [uid 0, pid 54243] block out on vether0: 24.201.182.114.46574 > 188.235.31.7.36824: [udp sum ok] udp 20 [tos 0x70] (ttl 53, id 5542, len 48) .. and more(i found four matching packets in this interval, but it is difficult to synchronize pf's log and log of the flowd) process_flow: ACCEPT flow FLOW recv_time 2018-03-29T20:43:42.634715 proto 17 tcpflags 00 tos 00 agent [127.0.0.1] src [24.201.182.114]:46574 dst [188.235.31.7]:36824 gateway [0.0.0.0] packets 3 octets 144 in_if 7 out_if 0 sys_uptime_ms 2h20m51s.000 time_sec 2018-03-29T20:43:42 time_nanosec 634520582 netflow ver 5 flow_start 2h19m55s.000 flow_finish 2h20m5s.000 src_AS 0 src_masklen 0 dst_AS 0 dst_masklen 0 engine_type 10752 engine_id 10752 seq 11273 source 0 crc32 00000000 output_flow_enqueue: offset 1624 alloc 16384 -- what you say? ;)
