On Sun, 02 Feb 2003 11:16:31 +0100 Cedric Berger <[EMAIL PROTECTED]> wrote:
> Marco Grigull wrote: > > >On Sat, 1 Feb 2003 16:12:26 +0100 > >Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > > > > > > > >>On Sat, Feb 01, 2003 at 04:14:32PM +0100, Cedric Berger wrote: > >> > >> > >> > >>>Marco Grigull wrote: > >>> > >>> > >>> > >>>>pass in log on $ext_if dup-to $dmz_if all > >>>> > >>>> > >>>How's dmz_if defined? did you put the IP of your > >>>loghost/IDS in there? If not, I think you should. > >>> > >>> > >>Yes, try this: > >> > >> pass in log on $ext_if dup-to ($dmz_if 10.1.2.3) all > >> > >>replacing 10.1.2.3 with the IP address of your loghost. > >> > >> > >> > > > >this rule loads, though I cannot see all (or any) of the traffic that > > would be viewable on ext_if with tcpdump. pflog reveals nothing either > > > Is this rule the LAST one that matches your input packets? > Are you sure there is no "quick" rule before? > Cedric # forward stuff to our loghost/IDS pass in log on $ext_if dup-to $dmz_if all pass out log quick on $dmz_if all block in log quick on $dmz_if all These are the FIRST rules in the ruleset. I would think that the first line makes a copy of all packets on ext_if to dmz_if, regardless of wether they get blocked later or not. Or is that incorrect logic? I have tried a few variations on the first rule to no avail. The second rule should immediatly push this out onto the dmz_if interface, the third stopping any replies (icmp, whatever) comming back. all subsequent rules define what can and cant happen on the ext_if, with a pass on etherything else Marco PS. what happens to the logging of a packet that matches a rule further down, that doesnt specify logging? is this interfering with the cloned packet in any way? Should dup-to packets be explicitly logged when the log keyword is used?
