[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf and authpf logging.



I've been asked to do something a bit silly for work. Let me give you the background.

I have a bunch of network connections that run our of a non-OpenBSD firewall, they just happen to be VPN tunnels, for auditing purposes they want to generate a log when somebody starts a session down one of those tunnels and, this is the silly bit, a log when the session ends. 

This is where I'm at so far. I have a 3.7 box running pf with a authpf user. The authpf user logs in and I get that logged. Then he starts a

 ssh session to my test box and I get pf: Aug 10 16:33:44.148959 rule 3.rayp(7025).0/(match) pass in on xl0: 10.6.223.254.29881 > 172.22.22.2.22: S 2379237274:2379237274(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

in my logs. This is a Good Thing, and btw colour me *very* impressed. Now I would happily stop there and call it good. But they want something like that, with username and IPs when the ssh session ends. I've been unable to find any way to do this in the docs that I've come across so far. Although the other logging features are hella cool. 

I know that this is rather silly and not really what it is meant to do but I'm hoping somebody might know how to do some deep magic.

Thanks. 

Ray
-- 
BOFH excuse #1:

clock speed



Visit your host, monkey.org