ifconfig pflog1 create touch /var/log/pfblocklog pflogd -ipflog1 -f$_ pf.conf:
l = "log (to pflog1)" block return $l block ... $l to keep the pfctl rule output readable, match and tag the packets instead and have a single block + log rule (at the expense of no "quick") On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez <fquinon...@gmail.com> wrote: > Hello > > I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all > blocked packets, and send them to /var/log/pfblocklog to be read with > tcpdump. What and where should be the rule? > > # B B B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ > # > > set skip on lo > > ### Agregadas por mi: (added by me) > block return > > pass in quick log on rl0 proto tcp from any to port 22 > pass out quick on rl0 to any > pass in quick log on rl0 proto tcp from any to port 21 > pass in quick log on rl0 proto tcp from any to port 80 > > ### Fin. (end) > > # filter rules and anchor for ftp-proxy(8) > anchor "ftp-proxy/*" > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > > pass B B B B B B # to establish keep-state > > # By default, do not permit remote connections to X11 > block in on ! lo0 proto tcp to port 6000:6010 > > Thanks for your attention.
