On Sat, Nov 26, 2016 at 02:05:55PM +0100, Pau Amaro-Seoane wrote: > Hi Josh et al: > > I have been trying to use tcpdump after applying these rules: > > # cat /etc/pf.conf > match log > block > pass from self to any > > and I get this: > > # tcpdump -ni pflog0 > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > > ^C > 0 packets received by filter > 0 packets dropped by kernel > > With those pf.conf rules I am not able to do anything. All outgoing > traffic seems to be blocked.
I have a correction to my part 3 instructions. As provided to you, and as applied here, they would have shown a log entry for every packet processed by PF but not which rule passed or blocked. But it appears that PF is not enabled, because no packets are being logged. PF must be enabled in order to obtain log information. Correction #1 ------------- My "match" command will only log every packet as it enters PF, but not as it is blocked or passed. That is because the "match log" rule is not sticky, the way that "match" rule for other options does apply to later block or pass rules. So remove the match rule, and instead, add "log" to the block and the "pass" rules, such as: block log pass log from self to any Correction #2 ------------- Along with enabling PF in order to log, you forgot to use the -e i option with your tcpdump(8) command as Stuart recommended. :) After revising the pf.conf file per Correction #1 be sure to enable PF when you load the revised rule set: # pfctl -ef /etc/pf.conf Start tcpdump() with three options. -n, -e, and -i. # tcpdump -nei pflog0 _______________________________________________ Openbsd-newbies mailing list Openbsd-newbies@sfobug.theapt.org http://mailman.theapt.org/listinfo/openbsd-newbies