Tom Uffner wrote:
> Gaurav Ghimire wrote:
>> Just curious to know if we have something, some alerting system or
>> mechanism that provides the administrator with the daily reports that
>> pf itself or some other
>> tool collects on pf's behalf.
>>
>> That probably reports the admin of:
>> ~ Total connection counts matched on each rulesets.
>> ~ Total number of counts matched on deny rules.
>
> /etc/periodic/security/520.pfdenied
>
> it should be enabled by default if you haven't done anything unnatural to
> the /etc/periodic system
>
> > ~ IP/Port attack logs and relatives.
>
> only if you specify "log" in one or more of your pf rules, in which
> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
> /var/log/pf.{today,yesterday}
>
> tom
>
Not sure if this will help but I have added the following line to
/etc/periodic/security/520.pfdenied
pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0
} $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root
This will produce something like the following for each rule that you have;
pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port =
syslog keep state
[ Evaluations: 560355 Packets: 46 Bytes: 4058 States:
0 ]
The down side is that the numbers will increment from the last time PF
was restarted, not from the previous day.
Regards,
Tim
smime.p7s
Description: S/MIME Cryptographic Signature
