On Wed, Feb 12, 2003 at 02:34:21PM -0600, pf-list wrote: > For the life of me I couldn't figure out why my logs were filling so fast > and yet there were only a few packets actually in them. When I listened > to pflog0 I found 1000s of dhcp server broadcasts that were being blocked > as par my ruleset (block that which I didn't request.) > I analyze my logs by the following: > tcpdump -ttt -n -e -r /var/log/pflog > > Yet the dhcp from port 67 to port 68 messages don't appear in my tcpdump > of the log. The rule I ended up adding to stop the blocking of the > packets is the following: > pass in quick on xl0 proto udp from 10.33.160.1 port 67 to any port 68 I suppose you have a default policy of: block in log all block out log all
if this is the case, it is normal that you see those packets blocked _and_ logged. if you do want to block them (unnecessary trafic) but not log them, change the 'pass' in the rule you've added to 'block'. > But for some reason the tcpdump doesn't show the packets in /var/log/pflog by default, newsyslog(8) is configured to rotate the 'pflog' file when it reaches a given size (250 KB by default me thinks). so if you have lots of packets, your file is getting big quicker. as a result, maybe the file you are looking at has just been rotated. try to look at the other /var/log/pflog.x.gz files. cheers. -- Saad Kadhi -- [[EMAIL PROTECTED]] [[EMAIL PROTECTED]] [pgp keyid: 35592A6D http://pgp.mit.edu] [pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D] ---
