Re: when used pfctl should log any changes to state of FW
On Tue, Nov 21, 2017 at 1:21 PM, S. Donaldsonwrote: > So why does pfctl not appear to (I could not find a command line option - nor > previous request) > log to syslog every command (who when what exit status) that changes > anything within > the pf context such as : rules, table contents, states? pfctl doesn't do this because it is so easily evaded. Anyone with the access to run pfctl also has the access to compile their own version with logging disabled. The only way to prevent this is to deny people root access, and once you have done that there are far easier ways to log who is doing what, for example doas(1). -ken
when used pfctl should log any changes to state of FW
I have been working with OpenBSD since 2.6, have deployed it in many roles. Have hacked authpf to have authpfnoip with ip functionality (there is a reason!). So I have some experience with the OS...mostly as an implementer/admin not a dev type. Motivation: I am configuring a 'segregating' Openbsd based firewall that I want to maximize the auditibility/accountability on/for. Question/Suggestion: So why does pfctl not appear to (I could not find a command line option - nor previous request) log to syslog every command (who when what exit status) that changes anything within the pf context such as : rules, table contents, states? I don't want the detailed changes that may occur within pf - just establishing accountability. Scott Donaldson