Here is a copy of my current pf.conf ruleset. I would like to log two different things. I would like to log external connections to tcp port 22 (SSH), and I would like to log the tcp/udp packets that are blocked coming from the internal network going outbound (the connections going outbound that aren't specified in tcp_ports or udp_ports, things on unusual ports like if there is a virus or something trying to go outbound).
--------------------------------------------------------------------------------- ###################### # Macros ###################### ext_if = "fxp0" int_if = "sis0" unfiltered = "{ lo0, sis0 }" network = "10.10.0.0/16" nat_protocols = "{ icmp, tcp, udp }" proto_options = "modulate state" tcpsrv_options = "flags S/SA" icmp_types = "{ 8, 10, 13, 15, 17 }" tcp_services = "{ 22 }" tcp_ports = "{ 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }" udp_ports = "{ 53, 67, 123 }" ###################### # Tables ###################### table <unroutable> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \ 255.255.255.255 } ###################### # Options ###################### set loginterface $ext_if set limit { frags 500, states 10000 } set optimization aggressive set block-policy drop ###################### # Packet Normalization ###################### scrub in on $ext_if all scrub out on $ext_if all random-id ###################### # Packet Queueing ###################### ###################### # Packet Redirection ###################### # Rules for internal interfaces ###################### no nat on $unfiltered inet proto $nat_protocols from any to any no rdr on $unfiltered inet proto $nat_protocols from any to any # Rules for external interface # nat private network to single routable address nat on $ext_if inet proto $nat_protocols from $network to any -> ($ext_if) # ftp-proxy redirection rdr on $int_if inet proto tcp from $network to any port 21 -> 127.0.0.1 port 8021 ###################### # Packet Filtering ###################### # Rules for internal interfaces ###################### # pass on unfiltered interfaces pass quick on $unfiltered # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. block return-rst quick inet proto tcp all flags /S block return-rst quick inet proto tcp all flags A/A # block everything by default block in all block out log all # Rules for external interface ###################### # silently drop broadcasts block in quick on $ext_if inet from any to { 255.255.255.255 } # block incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). block in quick on $ext_if inet from <unroutable> to any # block outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. block out quick on $ext_if inet from !$ext_if to any # ICMP # internal hosts can send icmp queries and accept echo replies to # external hosts pass out on $ext_if inet proto icmp from $ext_if to any \ icmp-type $icmp_types $proto_options # UDP pass out on $ext_if inet proto udp from $ext_if to any \ port $udp_ports $proto_options # TCP # log external connections to ssh pass in log on $ext_if inet proto tcp from any to $ext_if \ port $tcp_services $tcpsrv_options $proto_options # external FTP servers (on port 20) to respond to the proxy's # active ftp requests pass in on $ext_if inet proto tcp from any to $ext_if \ port 55000 >< 57000 user proxy $tcpsrv_options $proto_options # allow firewall to contact ftp server on behalf of passive ftp # clients on standard unprivileged port ( > 1024 ) pass out on $ext_if inet proto tcp from $ext_if to any \ port > 1023 $tcpsrv_options $proto_options # allow these services outbound pass out on $ext_if inet proto tcp from $ext_if to any \ port $tcp_ports $tcpsrv_options $proto_options --------------------------------------------------------------------------------- Let me know how I can do what I want. Thanks for any help. Phusion On Fri, 12 Nov 2004 14:31:36 -0600, Kevin <[EMAIL PROTECTED]> wrote: > On Fri, 12 Nov 2004 10:31:13 -0600, Phusion <[EMAIL PROTECTED]> wrote: > > > > I have a question about logging certain packets. On my internal > > network I allow the following traffic outbound: tcp > > 21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I > > can log all the blocked outbound traffic like to tcp and udp port > > 1214, 4662, and the rest. I'm having a problem because when I tried > > AOL Instant Messenger, it should have been blocked, logged and not > > been able to connect because it makes an outbound connection to tcp > > port 5190 which isn't allowed, but it still works. This is what I have > > right now in my config files. > > Can you send your complete unexpurgated "pf.conf" file? > > > > > > > /etc/inetd.conf > > 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy > > ftp-proxy -n -u proxy -m 55000 -M 57000 -t 180 > > > > /etc/pf.conf > > tcp_ports = "{ 21, 22, 25, 53, 80, 110, 443, 5999 }" > > > > block in all > > block out log all > > > > # for FTP > > pass in on $ext_if inet proto tcp from any to $ext_if \ > > port 55000 >< 57000 user proxy $tcpsrv_options $proto_options > > > > for FTP > > pass out on $ext_if inet proto tcp from $ext_if to any \ > > port > 1023 $tcpsrv_options $proto_options > > > > pass out on $ext_if inet proto tcp from $ext_if to any \ > > port $tcp_ports $tcpsrv_options $proto_options > > > > Let me know how I can log the outbound traffic that is blocked. Thanks. > > >