On Tue, Nov 21, 2017 at 1:21 PM, S. Donaldson <[email protected]> wrote: > So why does pfctl not appear to (I could not find a command line option - nor > previous request) > log to syslog every command (who when what exit status) that changes > anything within > the pf context such as : rules, table contents, states?
pfctl doesn't do this because it is so easily evaded. Anyone with the access to run pfctl also has the access to compile their own version with logging disabled. The only way to prevent this is to deny people root access, and once you have done that there are far easier ways to log who is doing what, for example doas(1). -ken
