Re: when used pfctl should log any changes to state of FW

[Kenneth Gober]

On Tue, Nov 21, 2017 at 1:21 PM, S. Donaldson  wrote:
> So why does pfctl not appear to (I could not find a command line option - nor 
> previous request)
>  log to syslog every command (who when what exit status) that changes 
> anything within
>  the pf context such as : rules, table contents, states?

pfctl doesn't do this because it is so easily evaded.  Anyone with the
access to run pfctl also has the access to compile their own version
with logging disabled.  The only way to prevent this is to deny people
root access, and once you have done that there are far easier ways to
log who is doing what, for example doas(1).

-ken

when used pfctl should log any changes to state of FW

[S. Donaldson]

I have been working with OpenBSD since 2.6, have deployed it in many roles. 
Have hacked authpf to have authpfnoip with ip functionality (there is a 
reason!). 
So I have some experience with the OS...mostly as an implementer/admin not a 
dev type.

Motivation:
I am configuring a 'segregating' Openbsd based firewall that I want to 
maximize the auditibility/accountability on/for. 

Question/Suggestion:
So why does pfctl not appear to (I could not find a command line option - nor 
previous request)
 log to syslog every command (who when what exit status) that changes anything 
within
 the pf context such as : rules, table contents, states?

I don't want the detailed changes that may occur within pf - just establishing 
accountability.

Scott Donaldson