On Mon, Feb 06, 2006 at 10:41:03PM +0100, Per-Olov Sjöholm wrote: > Is there a way to see in any log that the rate limiting, max source nodes, > max > source states etc is working? I seems I can't find anything about this in the > pflog... I *can* see that an ssh session is hanging and not connecting and > assume that the rate limiting is working. But I would like to see this stuff > in a log file. > > Is it possible? How?
The packets blocked in this way are not logged by pflog, as this feature is intended to deal with DoS-like scenarios (a flood of packets), and logging them unconditionally would typically fill up the log. What you can check, however, is a) the 'src-limit' counter shown by pfctl -si increases by one for each packet blocked for this reason. b) if you add 'overload <table>', source IP addresses of blocked packets will get added to the table, and you can watch the table get populated. Also, if you enable debug logging (pfctl -xm), you'll get one entry in /var/log/messages ('pf_src_connlimit: blocking address') per added IP address. Daniel