On Wed, 12 Feb 2003, Saad Kadhi wrote:
> On Wed, Feb 12, 2003 at 02:34:21PM -0600, pf-list wrote: > > For the life of me I couldn't figure out why my logs were filling so fast > > and yet there were only a few packets actually in them. When I listened > > to pflog0 I found 1000s of dhcp server broadcasts that were being blocked > > as par my ruleset (block that which I didn't request.) > > I analyze my logs by the following: > > tcpdump -ttt -n -e -r /var/log/pflog > > > > Yet the dhcp from port 67 to port 68 messages don't appear in my tcpdump > > of the log. The rule I ended up adding to stop the blocking of the > > packets is the following: > > pass in quick on xl0 proto udp from 10.33.160.1 port 67 to any port 68 > I suppose you have a default policy of: > block in log all > block out log all > > if this is the case, it is normal that you see those packets blocked > _and_ logged. if you do want to block them (unnecessary trafic) but not > log them, change the 'pass' in the rule you've added to 'block'. No no you misunderstand. They were getting logged and increasing /var/log/pflog in size but when tcpdumping pflog they are no where to be found. > > But for some reason the tcpdump doesn't show the packets in /var/log/pflog > by default, newsyslog(8) is configured to rotate the 'pflog' file when > it reaches a given size (250 KB by default me thinks). so if you have > lots of packets, your file is getting big quicker. as a result, maybe > the file you are looking at has just been rotated. try to look at the > other /var/log/pflog.x.gz files. Well, actually the amount of packets getting blocked would have caused them to show up in all the pflog.x.gz files and yet not a single packet did. > -- > Saad Kadhi -- [[EMAIL PROTECTED]] [[EMAIL PROTECTED]] > [pgp keyid: 35592A6D http://pgp.mit.edu] > [pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D] > --- > >
