The FIN/RST packets match the existing state created by the "pass" rule, so these packets don't touch the ruleset at all.
Sounds like you either want "no state" (though this has many drawbacks), extra code to do something between "log" and "log (all)", or some other way to record these sessions (pflow?). On 2009-06-22, Csaba Szip <[email protected]> wrote: > Hi! > > I would like to log a SYN packet in the beginning of sessions and the > FIN and/or RST packet at the end with the new match action. > > cat pf.conf > > set skip on lo > block in log > pass out > > match in log flags S/S > match in log flags F/F > match in log flags R/R > pass in proto tcp from any to (vic0) port 22 > > > If i initiate a new ssh connection to the firewall the match condition seems > ok. > > Jun 22 13:04:17.797771 rule 2/(match) match in on vic0: > 192.168.229.1.3711 > 192.168.229.128.22: S 326636544:326636544(0) win > 65535 <mss 1460,nop,nop,sackOK> (DF) > > But if i terminate the ssh session i dont see any further logs. > > So my question is: Is it possible to use the match action for this > scenario (or something else) or i totally misunderstood anything? > > Thx > Godot > > PS: Sorry if my english is terrible > > Your English is ok and clearly understandable. I've seen much worse from native speakers. :)
