On Tuesday 07 February 2006 10.41, you wrote:
> On Mon, Feb 06, 2006 at 10:41:03PM +0100, Per-Olov Sjöholm wrote:
> > Is there a way to see in any log that the rate limiting, max source
> > nodes, max source states etc is working? I seems I can't find anything
> > about this in the pflog... I *can* see that an ssh session is hanging and
> > not connecting and assume that the rate limiting is working. But I would
> > like to see this stuff in a log file.
> >
> > Is it possible? How?
>
> The packets blocked in this way are not logged by pflog, as this
> feature is intended to deal with DoS-like scenarios (a flood of
> packets), and logging them unconditionally would typically fill up
> the log.
>
> What you can check, however, is
>
> a) the 'src-limit' counter shown by pfctl -si increases by one for each
> packet blocked for this reason.
>
> b) if you add 'overload <table>', source IP addresses of blocked packets
> will get added to the table, and you can watch the table get
> populated. Also, if you enable debug logging (pfctl -xm), you'll get
> one entry in /var/log/messages ('pf_src_connlimit: blocking address')
> per added IP address.
>
> Daniel
Many thanks
/Per-Olov
