DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default Keeping your /var/log/pflog file clean and managable

When you use pf with a default policy of block log all you will quickly find the /var/log/pflog being filled with for example DHCP traffic and NetBIOS broadcasts.

To keep this file clean and managable, you can use a simple technique. To understand this method you have to keep in mind the two characteristics of pf that are mentioned in pf.conf(5):
  1. Code:
    For each packet processed by the packet filter, the filter rules
    are evaluated in sequential order, from first to last.
    
    For block and pass, the last matching rule decides what action is
    taken; if no rule matches the packet, the default action is to pass
    the packet without creating a state.
    
    For match, rules are evaluated every time they match; the pass/block
    state of a packet remains unchanged.
    This snippet explains the "last applicable rule wins" strategy that is used by default.
  2. Code:
    quick   If a packet matches a rule which has the quick option set, this
            rule is considered the last matching rule, and evaluation of
            subsequent rules is skipped.
    So quick makes an exception to the "last applicable rule wins" strategy.

By inserting a block quick without log, before the default block log all policy, we block the unwanted traffic. Any other traffic will be blocked but also logged.

Some practical examples of applying this technique:
  1. While cleaning a spam sending webserver, I disabled all outgoing mail attempts in the pf.conf. Because no mail could go out, it would accumulate in the mail spool for investigation.
    To prevent these mail attempts from showing up in the /var/log/pflog the following quick rule was used.

    Code:
    # --- DEFAULT POLICY
    # --- prevent own mail attempts from being logged
    block quick on $ext_if  inet proto tcp from $ext_if to any port smtp
    block log all
  2. Preventing DHCP traffic and NetBIOS junk:

    Code:
    # --- block and log all other traffic  ----
    
    # block but don't log some log polluters
    block quick inet proto udp from any to port {netbios-ns, netbios-dgm }
    block quick inet proto udp from any to port { bootps,bootpc }
    block log all
    
    # ---- end of pf.conf ----
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 4th February 2014 at 10:56 PM.
Reply With Quote
  #2   (View Single Post)  
Old 5th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Question

Would the second example still work if the order of the rules are reversed?
Code:
# block but don't log some log polluters
block log all
block quick inet proto udp from any to port {netbios-ns, netbios-dgm }
block quick inet proto udp from any to port { bootps,bootpc }
Please motivate your answer and if possible show an example pflog log file as proof
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 8th February 2014
Nat_RH Nat_RH is offline
New User
 
Join Date: Jun 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
Question

Would the second example still work if the order of the rules are reversed?
Code:
# block but don't log some log polluters
block log all
block quick inet proto udp from any to port {netbios-ns, netbios-dgm }
block quick inet proto udp from any to port { bootps,bootpc }
Yes it would, as the evaluation will select the last rule that exactly matches. In this case if the packets were not those mentioned in the block quick statements, then the block log all would match.

It evaluates from top to bottom but still uses the rule that matches exactly unless the block quick is used, which says stop evaluating if it matches.
Reply With Quote
  #4   (View Single Post)  
Old 8th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

You get an award of 10 stars
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
packet filter, pf firewall, pf.conf, pflog

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to force a file system clean? Quaxo OpenBSD General 21 24th July 2011 09:24 PM
Keeping /var/log/pflog clean from NetBIOS and SSID junk J65nko General software and network 1 26th April 2010 02:12 PM
pflog not logging. bsdnewbie999 OpenBSD General 9 13th March 2009 11:19 PM
Why PFLOG can't LOG anything????? chamnanpol FreeBSD General 1 18th June 2008 07:09 PM


All times are GMT. The time now is 11:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick