On Mon, Mar 21, 2005 at 08:54:35AM +0100, Peter N. M. Hansteen wrote: " "Eugene M. Minkovskii" <[EMAIL PROTECTED]> writes: " " > block in log on $ext_ip inet from any to $ext_ip label $ext_ip " > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate " > " > As you can see, ssh packets match to all rule and pass in because " > last rule win. Does it mean, that I can't see ssh's packet using " > command " > # pfctl -sl " " here you label the blocked packets but not the ones you pass, which " means your ssh packets would count toward the packets passed counter only. " " > And if I use " > " > block in log on $ext_ip inet from any to $ext_ip label $ext_ip " > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip " > " > ... I see label twice ? " " No. But both rules would increment the $ext_ip counter, which means that " your $ext_ip counter would be essentially packet totals. Last matching " rule wins (with state instead of sate it would work), so each packet " increments the relevant counters only once.
I was trying some experiments... It seems to me you are right in all except one: second line don't increase $ext_ip counter, but... add other counter with same name: # pfctl -sr | grep label block in log on $ext_if inet from any to $ext_if label $ext_if block in log quick on $ext_if inet from <crackers> to $ext_if label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = ssh flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = smtp flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = auth flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any port = ftp-data to $ext_if user = 62 flags S/SA keep state label $ext_if # pfctl -vsl rl0 48703 10 936 rl0 26095 0 0 rl0 25845 776 81479 rl0 29 25 2952 rl0 29 0 0 rl0 29 0 0 But, of course, this output is "scriptable". (I can sum this numbers in pyhon or bc) " > Perhaps you know where I can find workable example of this? " " Randal Schwartz has a nice article called "Monitoring Net Traffic with " OpenBSD's Packet Filter" at http://www.samag.com/documents/s=9053/sam0403j/0403j.htm " Thanks -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
