I am using /usr/share/examples/npf/host-npf.conf
Is there a nice to test this thing?
On Wed, Jul 10, 2024 at 12:03 AM Brad Spencer <b...@anduin.eldar.org> wrote:
>
> Todd Gruhn <tgru...@gmail.com> writes:
>
> > Logging.
> > can I set/use npf.log?
> >
> > Do I need to add a line to syslog.conf ?
> > I used this to tell ipf to log-here.
> >
> > Why cant I see either ipf/npf when I do 'ps -aux' ?
>
>
> IPF and NPF log in very different ways.
>
> For NPF you need to put this:
>
> procedure "log" {
> log: npflog0
> }
>
> in your /etc/npf.conf file and then on every rule you want to have a log
> entry you put a 'apply "log"' directive. Something like this:
>
> block out family inet4 to any port $xennet4_tcp_udp apply "log"
>
> I believe that there are examples in the npf.conf(5) man page and
> /usr/share/examples/npf.
>
> With the above, you will get another network interface called npflog0
> that you can tcpdump against and see what was logged, as NPF logs actual
> packets. There is no text file output and nothing for syslog. If you
> want a file to automatically be created, you can run npfd. See the
> npfd(8) man page for examples on how to do this. This will create a
> binary file that you can feed into tcpdump to decode the logged packet.
> Again, there is no text output. With NPF, what is logged is the actual
> packet, plus some additional meta data about which rule fired. See the
> man pages for more information.
>
> For IPF, the logging is done with ipmon which can be instructed to log
> to a certain syslog facility, which can be put into a file, or whatever,
> by syslogd.
>
>
> In either the NPF or IPF case, there won't be a daemon running for the
> firewall / NAT parts. For NPF, there might not be a daemon running for
> logging either, if you don't case about file output. If your only
> interest is in real time logs then just tcpdump the npflog interface.
> Note that since this is a NIC, more than one process can tcpdump it and
> nothing will be lost. For IPF, ipmon has to be running correctly to get
> log output and only one ipmon can be running. If you have more than one
> running, they will steal information from each other (like say, you have
> one running the output to a file and one running the output to stdout,
> you won't get everything from either of them).
>
> For NPF, you can do some clever stuff with tcpdump against the npflog
> interface where that output is piped into something else and maybe, for
> example, sent to Elasticsearch to be viewed and digested in detail. For
> IPF, the same thing can happen with ipmon, which can send its output to
> stdout and onto something, for example, like Elasticsearch.
> Etc.. etc.. etc..
>
>
>
>
>
>
> --
> Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org
>
