> On Sun, May 14, 2006 at 09:39:28PM +1000, Darren Reed wrote: > > I believe this does what you want: > > pass in log on foo0 proto tcp all flags S keep state > > That does what I want, thank you! > > I notice that ipfstat reports a high number in "log failures:". If I > read NetBSD 3.0 correctly, ipl keeps up to 8 packets logged at once, and > ipmon just isn't keeping up. > > I was hoping to use this for multiple things, most importantly a log of > every NAT'ed TCP connection and UDP packet. It would also be nice to > use it for accounting (ie: How many bytes did such-and-such machine > transfer, and at what times, and to which other machines?) So I want to > keep holes to an absolute minimum. > > Can you offer advice? I am not sure whether to increase the size of the > log buffer, to use tcpdump instead, or to do something else altogether.
Try using: ipmon -o NS instead of the rule above. Darren
