[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pflog0, ICMP rule 4294967295/3(short)

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pflog0, ICMP rule 4294967295/3(short)
From: "John L. Scarfone" <j0_(_at_)_cox_(_dot_)_net>
Date: Fri, 11 Mar 2005 19:14:40 -0500
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

On Fri, Mar 11, 2005 at 06:08:29PM +0000, j-fron_(_dot_)_q_(_dot_)_public_(_at_)_comcast_(_dot_)_net said:
> Hmm, if that's true, perhaps it oughtn't say "pass" when it logs them, then?
> I don't have a problem with them being logged against rule
> 0xffffffff, either, just it'd have been nice if the PF documentation
> would have noted that would happen.  That is, while pflogd (8)
> indicates that short packets will be logged (by listing it as a
> logging option, under the assumption that "all" options are default,
> it would have helped if it had indicated that the rule for such
> packets would be undefined (-1).

The reason, in this case (short) tells you it was blocked.  The reason
is not (match).  The 4294967295 thing was fixed in -current.

> If I log everything I block, I fill /var.

If these particular packets are contributing greatly to your
filling /var than stop sending yourself malformed packets.  ;)

> I guess my only question, then, would be what options to use to specify multiple "reasons"?
> `pflogd reason match reason normalize`

You can use "and" "or" and "not" with expressions depending on what logic
you want.  There are examples in both the pflogd and tcpdump manpages.
 
-- 
ajBAY294Lm5ldA==

References:
- Re: pflog0, ICMP rule 4294967295/3(short)
  - From: j-fron . q . public

Prev by Date: Re: WebMail System
Next by Date: Re: cvs.openbsd.org needs an upgrade
Previous by thread: Re: pflog0, ICMP rule 4294967295/3(short)
Next by thread: ifstated
Index(es):
- Date
- Thread

Visit your host, monkey.org