jared r r spiegel wrote:
Why would I not see the dropped packets in my log file (pflog0).
in this case i think you would. i looked back at the original pf.conf you posted that the other fellow replied to and the 'block all' didn't have the "$log_flg" in it (cute idea, btw)...
Thanks. What can I say? I'm lazy. :) Now I just have to create a command-line argument for my lfw (load firwall) wrapper script that checks the validity of the rules, dumps any current rules, and loads the new rules. I'll add this script at the bottom of this message for anyone who wants it.
is it possible that you weren't seeing them before, but added the $log_flg to this pf.conf after the problem?
I looked and this is exactly what happened. I looked and I am seeing items like this:
Jan 19 07:43:46.952091 rule 0/0(match): block in on xl1: 10.248.0.145.1211 > 255.255.255.255.1211: udp 95
Jan 19 07:43:57.109716 rule 0/0(match): block in on fxp0: 200.165.174.115.1847 > 24.174.112.98.1434: udp 376
Jan 19 07:44:51.013127 rule 14/0(match): block in on fxp0: 10.49.160.1.67 > 255.255.255.255.68: xid:0x85eca861 flags:0x8000 [|bootp]
BTW, I'm getting *tons* of these! Is it someone hammering my box trying to find a weakness?
Should I be setting pflog0 as my loginterface instead of fxp0?
nope, 'loginterface' is for the interface pf collects operational statistics on ( eg pfctl -si ). i believe
the interface name and number, pflog0, are hardcoded.
then pflogd(8) listens to pflog0 and redirects that down into /var/log/pflog ( by default ).
Ahhhh cool. That's good. And, speaking of statistics, when I stop my tcpdump (tcpdump -nettti pflog0), it shows:
265 packets received by filter 0 packets dropped by kernel
If I have set block-policy drop, shouldn't I be seeing these packets dropped instead of blocked?
rvb
==================================== lfw - Load Firewall Rulesets script ==================================== #!/bin/ksh
#================================= # Load Firewall Rules (lfw): # # A program to check validity of # a nat/firewall ruleset, flush # all existing rules, and load # the new, valid ruleset. # # Author: rvb # Date : 12.23.2004 #=================================
. ~/.profile
pgm_nm=`basename $0`
if [ "$#" -ne 1 ]
then
echo ""
echo "Usage: $pgm_nm <file>"
echo ""
echo "Note : <file> must conform to pf.conf rules"
echo " See man pf.conf for details"
echo ""
exit 1
fifile="$1"
if [ -e "$file" ]
then
echo ""
echo "checking the rules in $file..."
sudo pfctl -nf $file if [ $? -eq 0 ]
then
echo ""
echo "flushing all existing rules..."
sudo pfctl -F all
else
echo ""
echo "pfctl -nf $file was not successful!"
exit 1
fi if [ $? -eq 0 ]
then
echo ""
echo "loading the rules from $file"sudo pfctl -f $file;
echo ""
echo "ruleset loaded!"
echo ""
else
echo ""
echo "pfctl -f $file was not successful!";
exit 1;
fi
else
echo ""
echo "$file does not exist!"
exit 1;
fi
