Re: Turning on pf logging after switching from ipf.

[Dries Schellekens <gwyllion@ace.ulyssis.org>]

On Thu, 28 Feb 2002, Shawn Wilton wrote:

> Nowhere does it say I need to turn on the pflog0 interface using ifconfig in
> the man pages.

You should read pflog(4).
NAME
     pflog - packet filter logging interface

SYNOPSIS
     pseudo-device pflog <number>

DESCRIPTION
     The pflog interface is the interface the packet filter, pf(4), copies all
     the packets to which it has been configured to log.  In this way, all
     logged packets can easily be monitored in real time by invoking tcp-
     dump(8) on the pflog interface.
...
EXAMPLES
           # ifconfig pflog0 up
           # tcpdump -n -e -ttt -i pflog0
...

> I had manually altered my /etc/rc.conf to be of the 3.0 format and it still
> didn't log packets.  I had to start pflogd manually after bringing up the
> interface as dries mentioned. Only then does it work.  So I guess my
> question is, do I need to bring that interface up myself (put it in
> rc.local) or is it supposed to be done elsewhere by another script?

You should alter your /etc/rc. Altering /etc/rc.conf without /etc/rc
doesn't make much sense.

In my 3.0 rc script:
echo 'starting system logger'
rm -f /dev/log
if [ "X${named_flags}" != X"NO" -a "X${named_chroot}" != "X" ]; then
        rm -f ${named_chroot}/dev/log
        syslogd_flags="${syslogd_flags} -a ${named_chroot}/dev/log"
fi
syslogd ${syslogd_flags}

if [ "X$pf" != X"NO" ]; then
        ifconfig pflog0 up
        pflogd ${pflogd_flags}
fi

Greetings,

Dries
-- 
Dries Schellekens
email: gwyllion@ulyssis.org