On Thu, Jan 27, 2005 at 01:08:07PM -0500, Peter Fraser wrote: > I asked and received a response from Jeff Quast [EMAIL PROTECTED] > > > > It would be nice if pfctl could turn or turn off logging by rule > number. > > > Or > > > another possibility is a logging level i.e. log1 log2 log3 etc > > > controllable by pfctl. > > > > > > Please examine the label parameter. > > > Please read the manual. > > Well I believe I read the manual, and I don't see any method of using > the label parameter to effect anything in pflog files.
pflog used to include the label of the rule that logged the packet for each packet, but this has changed since. Now pflog includes the anchor name instead (space in the pcap header is limited, unfortunately). The use of this is shown in the authpf(8) man page (search for "bbeck"). You probably don't want to put rules into individual anchor just for this logging purpose. But check the pflogd(8) man page. It explains how to use pcap filter expressions to filter pflog by rule number and other criteria. You could, for instance, run multiple pflogd instances, each logging packets from specific rule number into separate files, etc. If you log everything into one pcap file, you can use filter expressions when running tcpdump to convert the pcap file into plain text. It's quite powerful, once you understand it. Daniel
