Running multiple instance of pflogd to log from different pflog interfaces
Recently I set up a bridging firewall. I read from the PF FAQ that we can log certain packets to different pflog virtual interfaces (pflogN). For example:
block log (to pflog0) on $ext_if all
It is possible to create multiple pflog interfaces with ifconfig and read it with tcpdump . The problem is that pflogd which reads from pflog interfaces and records it into logfiles can only record one pflog interface. (unless you start a pflogd instance manually and assign the interface to log without using the rc scripts, not quite elegant). I tried this setting in rc.conf but it doesn’t work:
pflog_flags="-i pflog0 -f /var/log/pf/ext_if.log -i pflog1 -f /var/log/pf/mgt_if.log"
The -i parameter specifies the interface to log from and the -f parameter specifies which file to log to.
After some hours of googling I finally seem to find a solution: http://www.freebsd.org/cgi/query-pr.cgi?pr=158171&cat=
Basically it just patches /etc/rc.d/pflogd so that the script can handle multiple pflogd instances.
There are some discussions in the mailing list saying that the patched script has some potential problem (syntax parsing, security, etc.). But as I tested, the main functionality does work, and I guess this is the best solution I can find.
I applied the patch to my pflogd script and the corresponding manpage (actually the patch utility throws me some errors that I don’t quite understand so I edit those files by hand). The ftp-proxy script seems to be another story so I didn’t look into it. (it has nothing to do with my problem)
Patch for /etc/rc.d/pflog: http://www.mediafire.com/file/2wn3r31hju5jfh3/pflog.patch
Modified /usr/share/man/man8/pflogd.8.gz: http://www.mediafire.com/file/2484bnc4msx6v42/pflogd.8.gz
And then the next problem for me is that, I don’t understand the manpage! After some guessing and trying and reading the script, I finally figured it out, below is part of my rc.conf:
pflog_enable="YES" # start pflogd(8)
pflog_instances="0 1"
pflog_0_dev="pflog0"
pflog_0_logfile="/var/log/pf/ext_if.log"
pflog_1_dev="pflog1"
pflog_1_logfile="/var/log/pf/mgt_if.log"
Next time you do # /etc/rc.d/pflog restart it’ll start logging 2 interfaces to 2 files!
Oh, I forgot to mention, I set this all up in FreeBSD 8.2.
