Dan,
This one is simple to explain. The first number printed after the label name is the number of times the rule with that label was _evaluated_.
Thanks. I was reading "Building Firewalls with OpenBSD and PF" and according to it the first number is "number of positive rule matches". While it has been a long day I read to mean the rule has to match, i.e. the number would only get incremented if the source OS matched, in my examples.
The second number is the number of packets that matched the rule last
(that were passed or blocked because of this rule), and the third is the
sum of the sizes of these packets.
Since your "os OpenBSD" rule is the last one in the block, a packet from
an OpenBSD client will cause evaluation of all rules in the block. It
won't match any of those rules but the last one, but it causes each
one's evaluation.
Now that I know it is evaluation and not positive match, things make more sense.
There was a single connection. The first packet of the connection caused
evaluation of each rule. It last matched the final 'OpenBSD' rule,
passed, and created state. Then there were 10 additional packets related
to the connection. These did not cause any ruleset evaluations, as they
matched the created state. Hence, the evaluation counters didn't
increase anymore for those 10 packets, but the packet and size counters
(11 and 691) did.
spamd Windows .NET 2 0 0 spamd Windows 2000 2 8 485 spamd Windows XP 1 0 0 spamd Windows NT 1 0 0 spamd Windows 95 1 0 0 spamd Windows 98 1 0 0 spamd OpenBSD 1 11 691 spamd undefined 0 0 0
Now a "Windows 2000" client connected, and the same thing happened. But because the first rule matched (and it has the 'quick' option), no further rules were evaluated. There must have been two connections from "Windows 2000" clients, and a total of 8 packets with a sum of 485 bytes.
I would really like to be able to track os finger print to source IP. Not a specific IP, but rather any incoming IP that gets sent to spamd. It could make for some interesting correlation between virus/spam/etc..
Is this possible or am I going down a path that leads no where?
Thanks again, Chad
smime.p7s
Description: S/MIME cryptographic signature
