PF Logging


PF can be set up to log every packet that it processes, through the "log" keyword of the packet filter rules. Without additional setup, however, those logs go nowhere. You need to start the log capturing program, pflogd(8), to write the log to /var/log/pflog.

If you start PF at boot in /etc/rc.conf, pflogd(8) is automatically started. Otherwise, you will need to start it on the command line. While pflogd(8) has several possible command-line arguments, for the most part you can simply run this:

 # pflogd 

One thing to remember is that if you are using stateful inspection, only the first packets that send a connection into the state table are logged. Further packets in the same data stream are not logged. If you want to log all packets in a connection created by stateful inspection, you must use the "log-all" keyword instead of "log" in the rule.

Logging is especially useful when troubleshooting connection problems. If packets are being blocked when you think that they should be being passed, you can easily add "log" keywords to your "block" statements and see which rule is stopping the traffic.

Logs can also be quite large, however, and you may not want to log everything. Perhaps you don't care what websites your users visit, but only care about incoming traffic. Some traffic may not make sense to log or be impossible to log. For example, any network I build has a standalone logging host, where all systems transmit all their logs for centralized management. If you log all traffic coming from your logging host, including the log messages, you will quickly find that PF is logging the transmission of the logs, and then logging the messages logging the transmissions of the logs, and pretty quickly you will be a very unhappy network administrator with a lot of very repetitive logs on your hands!

Reading PF Logs

PF logs its data in tcpdump(8) format, allowing the systems administrator to examine the data through this standard systems administration tool. The tcpdump included in OpenBSD has been modified slightly to recognize the PF-specific fields included in a logged packet.

 # tcpdump -n -e -ttt -r /var/log/pflog 

The tcpdump(8) program can be difficult to use and certainly doesn't look friendly. If you don't feel like parsing all the output tcpdump(8) will produce, install Ethereal (/usr/ports/net/ethereal). The port also recognizes the additional fields stored in a logged packet and will greatly simplify the log evaluation process.

 # ethereal -r /var/log/pflog 

Real-Time Log Access

The entries in /var/log/pflog are not added in real time; pflogd(8) buffers its input until it thinks it's worth writing a log message. If you want to see PF act in real time, attach tcpdump(8) or Ethereal to the pflog(4) interface with the "-i" flag to either command.

 # ethereal -i pflog0 

Congratulations! While PF contains enough features to fill most of a book, the last three chapters should get you started with just about anything you want to do with it. At this point you should know what you need to know to run OpenBSD.




Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net