On Mon, Feb 06, 2006 at 10:41:03PM +0100, Per-Olov Sjöholm wrote:
> Is there a way to see in any log that the rate limiting, max source nodes,
> max
> source states etc is working? I seems I can't find anything about this in the
> pflog... I *can* see that an ssh session is hanging and not connecting and
> assume that the rate limiting is working. But I would like to see this stuff
> in a log file.
>
> Is it possible? How?
The packets blocked in this way are not logged by pflog, as this
feature is intended to deal with DoS-like scenarios (a flood of
packets), and logging them unconditionally would typically fill up
the log.
What you can check, however, is
a) the 'src-limit' counter shown by pfctl -si increases by one for each
packet blocked for this reason.
b) if you add 'overload <table>', source IP addresses of blocked packets
will get added to the table, and you can watch the table get
populated. Also, if you enable debug logging (pfctl -xm), you'll get
one entry in /var/log/messages ('pf_src_connlimit: blocking address')
per added IP address.
Daniel
