|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Log ftp packet on PF with ftp-proxy on
Hello,
I'm trying to log FTP connexions coming from WAN to a FTP server through my PF which have ftp-proxy set on. FTP connexions are all ruled like this : Code:
rdr pass on $ext_if proto tcp from <adminssh> to $crt_lr port 21 -> 127.0.0.1 po rt 8021 Code:
pass in log on $ext_if proto tcp from any port 21 to <filtre_ftp> label filtreftp I launch a pflogd with this way : Code:
pflogd -s 116 -i pflog0 -f /var/log/pflog.ftp ruleset filtreftp Code:
tcpdump -ttt -e -r /var/log/pflog.ftp Am I right? I'm not very familiar with PF (2 weeks practicing). Forgive me if I made some English error or if I'm not very clear. Thanks. |
|
|||
Because ftp-proxy creates pf rules "on the fy", or dynamically you cannot have pf log the way you tried
A very simple way to do this logging is using the -v or -vv flag. From the ftp-proxy man page: Code:
-v Set the 'log' flag on pf rules committed by ftp-proxy. Use twice to set the 'log-all' flag. The pf rules do not log by default. Code:
-D level Debug level, ranging from 0 to 7. Higher is more verbose. The default is 5. (These levels correspond to the syslog(3) levels.)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for your answer!
The ftp-proxy -v seems not working, but the -D 7 flag is perfectly working. I can see source and destination connexion. Have any idea how can I filter this rule to only log a table (of IPs) declared in pf.conf? I maybe have hundreds of IPs and only need to log about 20. Where are logged the rule when launching ftp-proxy -v ? pflog? My rule should looks like this ? Code:
pass log on $ext_if proto tcp from any user proxy |
|
|||
RE: starting ftp-proxy and passing -v option to
You can enable ftp-proxy in /etc/rc.conf.local by adding Code:
ftpproxyflags="-v -D7" Depending on what exactly you want to log, you many not need to make a rule with logging. ftp-proxy dynamically attaches rules to the NAT and RDR anchors. Please refer to http://www.openbsd.dk/faq/pf/ftp.html#natserver for an example. See http://www.openbsd.dk/faq/pf/anchors.html for more info about anchors. RE: table defined logging I don't think you can do that with the pre-fabricated rules that ftp-proxy attaches to the anchors. Because of a house move my network lab is still unpacked in the garage, else I would try to figure it out for you
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sshguard and packet filter | sputnik | OpenBSD Security | 0 | 18th April 2009 02:11 PM |
Packet Sniffer for OpenBSD. | bsdnewbie999 | OpenBSD General | 6 | 26th October 2008 02:28 AM |
packet filter configuration. | bsdnewbie999 | OpenBSD General | 1 | 23rd October 2008 08:54 AM |
vr0: rx packet lost | tutosun | FreeBSD General | 4 | 13th September 2008 10:13 AM |
question about Packet Filter (pf) | milo974 | OpenBSD Security | 2 | 31st July 2008 01:39 PM |