The options that can be given to the log keyword are:
Options are given in parenthesis after the log keyword; multiple options can be separated by a comma or space.
pass in log (all, to pflog1) on $ext_if inet proto tcp to $ext_if port 22 keep state
To view the log file:
Note that using tcpdump(8) to watch the pflog file does not give a real-time display. A real-time display of logged packets is achieved by using the pflog0 interface:# tcpdump -n -e -ttt -r /var/log/pflog
NOTE: When examining the logs, special care should be taken with tcpdump's verbose protocol decoding (activated via the -v command line option). tcpdump's protocol decoders do not have a perfect security history. At least in theory, a delayed attack could be possible via the partial packet payloads recorded by the logging device. It is recommended practice to move the log files off of the firewall machine before examining them in this way.# tcpdump -n -e -ttt -i pflog0
Additional care should also be taken to secure access to the logs. By default, pflogd will record 160 bytes of the packet in the log file. Access to the logs could provide partial access to sensitive packet payloads.
This can be further refined by limiting the display of packets to a certain host and port combination:# tcpdump -n -e -ttt -r /var/log/pflog port 80
The same idea can be applied when reading from the pflog0 interface:# tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3
Note that this has no impact on which packets are logged to the pflogd log file; the above commands only display packets as they are being logged.# tcpdump -n -e -ttt -i pflog0 host 192.168.4.2
In addition to using the standard tcpdump(8) filter rules, the tcpdump filter language has been extended for reading pflogd output:
This display the log, in real-time, of inbound packets that were blocked on the wi0 interface.# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
Create the following script as /etc/pflogrotate.
Edit root's cron table:#!/bin/sh PFLOG=/var/log/pflog FILE=/var/log/pflog5min.$(date "+%Y%m%d%H%M") pkill -ALRM -u root -U root -t - -x pflogd if [ -r $PFLOG ] && [ $(stat -f %z $PFLOG) -gt 24 ]; then mv $PFLOG $FILE pkill -HUP -u root -U root -t - -x pflogd tcpdump -n -e -s 160 -ttt -r $FILE | logger -t pf -p local0.info rm $FILE fi
Add the following two lines:# crontab -u root -e
Add the following line to /etc/syslog.conf:# rotate pf log file every 5 minutes 0-59/5 * * * * /bin/sh /etc/pflogrotate
If you also want to log to a remote log server, add the line:local0.info /var/log/pflog.txt
Make sure host syslogger has been defined in the hosts(5) file.local0.info @syslogger
Create the file /var/log/pflog.txt to allow syslog to log to that file, and give it the same permissions as the pflog file.
Make syslogd notice the changes by restarting it:# touch /var/log/pflog.txt # chmod 600 /var/log/pflog.txt
All logged packets are now sent to /var/log/pflog.txt. If the second line is added, they are sent to the remote logging host syslogger as well.# kill -HUP $(cat /var/run/syslog.pid)
The script /etc/pflogrotate now processes and then deletes /var/log/pflog so rotation of pflog by newsyslog(8) is no longer necessary and should be disabled. However, /var/log/pflog.txt replaces /var/log/pflog and rotation of it should be activated. Change /etc/newsyslog.conf as follows:
PF will now log in ASCII to /var/log/pflog.txt. If so configured in /etc/syslog.conf, it will also log to a remote server. The logging is not immediate but it can take up to about 5-6 minutes (the cron job interval) before the logged packets appear in the file.#/var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x pflogd" /var/log/pflog.txt 600 7 * 24