Once enabled, if pf is configured to log, will use the
pflog0 pseudo-device to log packets in libpcap format. This means that trusty tcpdump can be used to view your firewall logs in realtime, like so:
[root@phat /var/log]# tcpdump -n -tttt -e -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
2008-03-05 20:40:30.293906 rule 12/0(match): pass in on sis0: 192.168.226.140.24951 > 192.168.1.100.22: S 657096168:657096168(0) win 64512 <mss 1460,nop,nop,sackOK>
2008-03-05 20:40:30.322713 rule 13/0(match): pass out on sis0: 192.168.1.100.58585 > 192.168.1.1.53: 47450+[|domain]
If you wanted to read an existing pf logfile rather than in realtime, use the same arguments to
tcpdump as you would normally use to read a pcap file. In this example, I'm specifically looking for blocked igmp traffic:
[root@phat /var/log]# tcpdump -n -tttt -e -r pflog.0 igmp|head -5
reading from file pflog.0, link-type PFLOG (OpenBSD pflog file)
2008-03-05 19:00:52.405159 rule 2/0(match): block in on sis0: 10.1.49.2 > 224.0.0.1: igmp query v2
2008-03-05 19:01:26.748751 rule 2/0(match): block in on sis0: 10.1.49.2 > 224.0.0.1: igmp query v2
2008-03-05 19:03:01.698925 rule 2/0(match): block in on sis0: 10.1.49.2 > 224.0.0.1: igmp query v2
2008-03-05 19:03:36.042609 rule 2/0(match): block in on sis0: 10.1.49.2 > 224.0.0.1: igmp query v2
2008-03-05 19:05:11.018437 rule 2/0(match): block in on sis0: 10.1.49.2 > 224.0.0.1: igmp query v2
[ add comment ] ( 740 views ) | permalink
Calendar
