Tom Uffner wrote: > Gaurav Ghimire wrote: >> Just curious to know if we have something, some alerting system or >> mechanism that provides the administrator with the daily reports that >> pf itself or some other >> tool collects on pf's behalf. >> >> That probably reports the admin of: >> ~ Total connection counts matched on each rulesets. >> ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom > Not sure if this will help but I have added the following line to /etc/periodic/security/520.pfdenied
pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0 } $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root This will produce something like the following for each rule that you have; pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port = syslog keep state [ Evaluations: 560355 Packets: 46 Bytes: 4058 States: 0 ] The down side is that the numbers will increment from the last time PF was restarted, not from the previous day. Regards, Tim
smime.p7s
Description: S/MIME Cryptographic Signature