[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pflog0, ICMP rule 4294967295/3(short)
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pflog0, ICMP rule 4294967295/3(short)
- From: "John L. Scarfone" <j0_(_at_)_cox_(_dot_)_net>
- Date: Fri, 11 Mar 2005 19:14:40 -0500
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
On Fri, Mar 11, 2005 at 06:08:29PM +0000, j-fron_(_dot_)_q_(_dot_)_public_(_at_)_comcast_(_dot_)_net said:
> Hmm, if that's true, perhaps it oughtn't say "pass" when it logs them, then?
> I don't have a problem with them being logged against rule
> 0xffffffff, either, just it'd have been nice if the PF documentation
> would have noted that would happen. That is, while pflogd (8)
> indicates that short packets will be logged (by listing it as a
> logging option, under the assumption that "all" options are default,
> it would have helped if it had indicated that the rule for such
> packets would be undefined (-1).
The reason, in this case (short) tells you it was blocked. The reason
is not (match). The 4294967295 thing was fixed in -current.
> If I log everything I block, I fill /var.
If these particular packets are contributing greatly to your
filling /var than stop sending yourself malformed packets. ;)
> I guess my only question, then, would be what options to use to specify multiple "reasons"?
> `pflogd reason match reason normalize`
You can use "and" "or" and "not" with expressions depending on what logic
you want. There are examples in both the pflogd and tcpdump manpages.
Visit your host, monkey.org