Re: Logging (lack of), driving me nuts

[Chad M Stewart]

On May 18, 2006, at 4:25 PM, Daniel Hartmeier wrote:
On Thu, May 18, 2006 at 04:10:22PM -0400, Chad M Stewart wrote:

For some reason I'm not seeing every blocked packet logged.

Why do you expect every blocked packet to get logged? Not all your  
block
rules use 'log'. Packets could easily get blocked by a rule without  
'log',
hence get blocked but not logged.


# cat /etc/pf.conf |grep -v ^# |grep block
set block-policy return
block in log all
block log quick inet proto tcp from <ssh-denied> to $ssh_servers port  
ssh label accessive-ssh
#

I'm trying to debug why some traffic is not working.  If I could see  
logs indicating the packet(s) are being dropped, it would be  
helpful.  I'd rather start with too much information being logged and  
trim it down later.  Or at least enable when debugging and turn off  
after.

Here's my entire pf.conf file

# cat /etc/pf.conf |grep -v ^#

ext_if="rl0"
int_if="rl1"
pfsync_if="rl2"
carp_interfaces="{ carp0, carp1 }"
carp_int="carp1"
carp_ext="carp0"
all_if="{ rl0, rl1, rl2, carp0, carp1 }"


aol_im_port="5190, 9898"

ssh_servers="192.168.1.6"
dns_servers="192.168.1.6"
mail_servers_mx="192.168.1.23"
mail_servers_stores="192.168.1.7"
mail_store_ports=" { 465 2525 110 143 993 } "
web_servers="192.168.1.6"

limit_ssh="(max-src-conn 5, max-src-conn-rate 1/5, overload <ssh- 
denied> flush)"
limit_smtp="(max-src-conn 3, max-src-conn-rate 1/5, overload <smtp- 
denied> flush)"

limit_www_clients="(max-src-conn-rate 100/10, overload <www-denied>  
flush global)"


table <ssh-denied> persist
table <www-denied> persist
table <smtp-denied> persist
table <smtpallow> persist { $mail_servers_stores, $mail_servers_mx }


set require-order yes
set block-policy return
set optimization normal
set limit { frags 5000, states 10000 }
set timeout interval 30
set timeout frag 30
set loginterface $ext_if
set skip on lo0
set skip on $pfsync_if    # might not want this

scrub in  on $carp_ext all           fragment reassemble
scrub out on $carp_ext all random-id fragment reassemble



nat from $carp_int:network to any -> $carp_ext


nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"



rdr inet proto tcp from any to $carp_ext port 22 -> $ssh_servers

rdr inet proto { tcp, udp } from any to $carp_ext port 53 ->  
$dns_servers


rdr proto tcp from $carp_int:network to any port 21 -> 127.0.0.1 port  
8021

rdr inet proto { tcp } from any to $carp_ext port smtp ->  
$mail_servers_mx
rdr inet proto { tcp } from any to $carp_ext port $mail_store_ports - 
> $mail_servers_stores

rdr inet proto { tcp } from any to $carp_ext port www -> $web_servers




block in log all



antispoof for $all_if inet

block log quick inet proto tcp from <ssh-denied> to $ssh_servers port  
ssh label accessive-ssh




pass out on $all_if modulate state

anchor "ftp-proxy/*"







pass on { $ext_if $int_if } proto carp modulate state

pass in inet proto icmp from any to self icmp-type echoreq modulate  
state

pass in inet proto tcp from $int_if:network to $int_if port ssh flags  
S/SA modulate state


pass in log inet proto tcp from any to $ssh_servers port ssh \
flags S/SA synproxy state $limit_ssh



pass in inet proto tcp from any to $web_servers port www flags S/SA  
synproxy state $limit_www_clients
pass in inet proto { tcp, udp } from any to $dns_servers port domain  
flags S/SA synproxy state
pass in inet proto tcp from any to $mail_servers_mx port smtp flags S/ 
SA synproxy state
pass in inet proto tcp from any to $mail_servers_stores port  
$mail_store_ports flags S/SA synproxy state


pass in inet proto tcp from <smtpallow> to any port { smtp } flags S/ 
SA modulate state


pass in inet proto tcp from $carp_int:network to any port whois  
modulate state

pass in inet proto { tcp, udp } from $carp_int:network to any port  
{ domain, ntp } modulate state
pass in inet proto icmp from $carp_int:network to any icmp-type  
echoreq modulate state
pass in inet proto tcp from $carp_int:network to any \
port { ldap, ldaps, ssh, www, https, imaps, 465, 587 $aol_im_port }  
flags S/SA modulate state


pass in inet proto tcp from $carp_int:network to any port ftp  
modulate state

pass in inet proto tcp from $carp_int:network to any port 1935  
modulate state

pass in inet proto udp from 192.168.1.46 to any modulate state
pass in inet proto udp from 192.168.1.145 to any modulate state


pass in inet proto udp from any port { 5060, 5190, 5678 } to  
$carp_int:network modulate state
pass in inet proto tcp from any port { 5060, 5190, 5220, 5222, 5678,  
16384:16834 } to \
$carp_int:network port { 5060, 5190, 16384:16403 } modulate state

pass in inet proto udp from $carp_int:network port { 5060, 5190,  
16384:16834 } to any port { 5060 5190 5678 16384:16834 } modulate state
pass in inet proto tcp from $carp_int:network port { 5060, 5190,  
5220, 5222, 16384:16834 } to \
any port { 5060, 5190, 5678, 16384:16403 } modulate state


pass in inet proto udp from $carp_int:network to any port 33433 ><  
33626 keep state

pass in inet proto {tcp,udp} from $carp_int:network to any port 3074  
modulate state
pass in inet proto {udp} from $carp_int:network to any port 88  
modulate state