Re: Rule last match timestamp
On 27 Dec 2019, at 21:49, Franco Fichtner wrote: Hi, On 27. Dec 2019, at 6:45 PM, Kristof Provost wrote: What are you trying to accomplish? Some people believe that "last match" is a great metric to audit rules for intrusion detection and all sorts ruleset optimisation and refinement. In OPNsense the question has popped up a few times to support it, but without doing it in pf(4) directly it makes little sense as you'd have to crawl pflog output and even then you can't crawl non-log rules this way... Would SDT probe points be useful for this? I have a background todo item to add those where they’d be meaningful. They have the advantage of not really having a cost when they’re not active, of being really easy to add, and of not imposing ABI changes. Best regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: Rule last match timestamp
Hi, > On 27. Dec 2019, at 6:45 PM, Kristof Provost wrote: > > What are you trying to accomplish? Some people believe that "last match" is a great metric to audit rules for intrusion detection and all sorts ruleset optimisation and refinement. In OPNsense the question has popped up a few times to support it, but without doing it in pf(4) directly it makes little sense as you'd have to crawl pflog output and even then you can't crawl non-log rules this way... Cheers, Franco ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: Rule last match timestamp
On 26 Dec 2019, at 1:20, Özkan KIRIK wrote: > Hi, > > I need last match timestamps for each rule. ipfw has an option for this. > But pfctl -v -sr command doesnt show last match timestamp. > Is there way to gather this information in pf? > Pf does not track this. What are you trying to accomplish? Best regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Rule last match timestamp
Hi, I need last match timestamps for each rule. ipfw has an option for this. But pfctl -v -sr command doesnt show last match timestamp. Is there way to gather this information in pf? Thanks ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
