When you use
pf with a default policy of
block log all you will quickly find the
/var/log/pflog being filled with for example DHCP traffic and NetBIOS broadcasts.
To keep this file clean and managable, you can use a simple technique. To understand this method you have to keep in mind the two characteristics of
pf that are mentioned in
pf.conf(5):
Code:
For each packet processed by the packet filter, the filter rules
are evaluated in sequential order, from first to last.
For block and pass, the last matching rule decides what action is
taken; if no rule matches the packet, the default action is to pass
the packet without creating a state.
For match, rules are evaluated every time they match; the pass/block
state of a packet remains unchanged.
This snippet explains the "last applicable rule wins" strategy that is used by default.
Code:
quick If a packet matches a rule which has the quick option set, this
rule is considered the last matching rule, and evaluation of
subsequent rules is skipped.
So quick makes an exception to the "last applicable rule wins" strategy.
By inserting a
block quick without
log, before the default
block log all policy, we block the unwanted traffic. Any other traffic will be blocked but also logged.
Some practical examples of applying this technique:
- While cleaning a spam sending webserver, I disabled all outgoing mail attempts in the pf.conf. Because no mail could go out, it would accumulate in the mail spool for investigation.
To prevent these mail attempts from showing up in the /var/log/pflog the following quick rule was used.
Code:
# --- DEFAULT POLICY
# --- prevent own mail attempts from being logged
block quick on $ext_if inet proto tcp from $ext_if to any port smtp
block log all
- Preventing DHCP traffic and NetBIOS junk:
Code:
# --- block and log all other traffic ----
# block but don't log some log polluters
block quick inet proto udp from any to port {netbios-ns, netbios-dgm }
block quick inet proto udp from any to port { bootps,bootpc }
block log all
# ---- end of pf.conf ----