|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
pflog not logging.
Why my pflog does not log? I have done the pf configuration and logging as told in the openbsd FAQ page. But why nothing is logged in pflog file ?
|
|
|||
Here is it.
Code:
# Macros int_if="vic0" #scrub scrub in all # Filtering rules pass in on $int_if proto tcp from any to $int_if port www pass out on $int_if proto tcp from $int_if to any port www block in log quick on $int_if proto tcp from any to any port ssh flags S/SA #Antispoof antispoof log for $int_if inet #Unicast reverse path forwarding block in log quick from urpf-failed label uRPF #Passive operating system fingerprinting pass in log on $int_if from any os OpenBSD keep state block in log on $int_if from any os "Windows 2000" block in log on $int_if from any os "Windows XP" block in log on $int_if from any os "Windows XP SP1" block in log on $int_if from any os "Windows XP SP2" block in log on $int_if from any os "Windows xP SP3" block in log on $int_if from any os "Windows 98" block in log on $int_if from any os "Windows NT" block in log on $int_if from any os "Linux 2.4 ts" block in log on $int_if from any os unknown # return block return #Block ICMP redirect packets block in log quick on $int_if inet proto icmp from any to $int_if block in log quick on $int_if inet proto icmp from any to $int_if icmp-type redir #Block SMTP(simple mail transfer protocol) block in log quick on $int_if inet proto tcp from any to $int_if port smtp #pass out UDP and ICMP pass out on $int_if inet proto udp all keep state pass out on $int_if inet proto icmp from $int_if to any keep state #Block everything block return-rst in log quick on $int_if inet proto tcp from any to $int_if block return-icmp in log quick on $int_if inet proto udp from any to $int_if block in quick on $int_if all Last edited by bsdnewbie999; 12th March 2009 at 07:44 AM. |
|
||||
As an addendum, as I noted in http://daemonforums.org/showthread.php?t=2953#post21893 in the midst of your rules you have an unexplained "block return" which will match all packets, inbound or outbound, without logging. If no following rules match, this rule will be applied.
|
|
|||
Can you give me any suggestions for my pf to start logging?
Thanks. |
|
||||
Your current rule set is not in any clear logical order, and some rules appear to have been found elsewhere and added, without an understanding of what the rule does. Some examples:
In order to understand how to use PF, you must read and understand the PF User's Guide. It is available in English, German, French, Italian, Dutch, Polish, and Portuguese. |
|
|||
Yes. You're right. I don't quite understand how pf works and the logical order of the rule sets. I printed the pf FAQ page but it didn't specify how to arrange the rules in correct order. I tried to google some resources from the Internet but really hard to find one.
My purpose of the pf firewall is to secure my PC from some sort of attack. |
|
||||
Take a look at these two educational references for PF that ocicat mentioned in another thread earlier today:
http://www.daemonforums.org/showthre...2956#post21913 These may be helpful. Quote:
Knowledge of our networking applications is key. For instance, let us pretend that you have decided to start ftpd(8), and run an ftp server. It is not enabled in the default install. So you enable it, either in inetd.conf(5) or in rc.conf.local(5). Some of the most obvious attack vectors to consider:
Will PF help? Perhaps. I might use PF to limit FTP client access from a particular set of IP addresses or network blocks, or, I might use state table management to set limits on anonymous FTP connections. FTP is a good example. To use PF to allow (or deny) FTP, the admin needs to know the protocol it uses, and the ports. If you elect to offer an FTP service ... do you know it uses different ports depending on whether "Active FTP" or "Passive FTP" is used? Do you know it uses a range of high port numbers for data channels? And, that the initiator of the data backchannel may be the client, or the server, depending on Active/Passive FTP? On to your next network application.... |
|
||||
jggimi really hit the nail on the head. It's going to take a well-thought plan and understanding of your needs and vulnerabilities, as well as a better understanding of pf and OpenBSD, before you can start to appreciate the security it can provide.
I would personally start small. Instead of putting in a bunch of rules you may not fully understand, start by learning how to do one thing. For instance, figure out how to block ssh (port 22) but allow everything else. As you learn things, figure out ways to test your changes to see if they are actually working as expected. Do your homework and ask questions here... it's not like we're holding back
__________________
Network Firefighter |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sshd logging - can we get the ssh command? | Mantazz | FreeBSD Security | 17 | 23rd May 2009 08:34 AM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |
Network + aMule Logging Problems | disappearedng | FreeBSD General | 0 | 28th August 2008 09:22 PM |
Why PFLOG can't LOG anything????? | chamnanpol | FreeBSD General | 1 | 18th June 2008 07:09 PM |
spamd logging question | roundkat | OpenBSD General | 10 | 11th June 2008 01:27 PM |