Re: Questions at my kFreeBSD FOSDEM talk
On 02/06/2011 11:41 PM, Robert Millan wrote:
>> >> * Several questions around how is decided which kernel modules are
>> >> included. Specifically someone asked for a module called pfsync or
>> >> so and not included in FreeBSD by default either.
That would be me.
> > I think the BTS has some request related to pfsync.
Somehow I didn't find it at first, but it is:
One of the major features which makes pf interresting is it's ability to
be used as HA-clustered firewall system.
Although iptables has it too with conntrackd, but in comparison it is
kind of new and less known.
I checked my kfreebsd with 8.1-1-amd64 test VM by doing an
update/dist-upgrade and it didn't seem be included in
/boot/config-8.1.1-amd64, not in /lib/modules and not in the kernel.
Because these failed:
ifconfig carp123 create
ifconfig pfsync0 create
But this worked:
modprobe pf; modprobe pflog; ifconfig pflog create
So I didn't think ifconfig has been wrapped like route, I didn't see
ifconfig in /lib/freebsd either.
Also I do think pflog might be kind of useless if you don't include the
right tcpdump to read it. The one from OpenBSD (I assume from FreeBSD
also) has been adapted to read what pflog creates which logs the pf-rule
which matched to pass or block the packet involved and some packet
The tcpdump included in Linux can not read that. It does not include
support for link type 117.
On OpenBSD (and I assume on FreeBSD) you can do:
tcpdump -enpti pflog0 and see everything the rulenumber and the action
when specified in pf.conf it should be logged.
I just checked, atleast Wireshark/tshark has support for it though. So
maybe some kind of pointer in some documentation or something like that
might be useful ?
It might be able to read a pflogd logfile file (the one I had was copied
from somewhere else though), but not directly capture on pflog0.