> https://man.openbsd.org/pflow.4
> On Wed, Mar 28, 2018 at 4:03 PM, 3 <babut@yandex.ru> wrote:
>> On 03/28/18 15:04, 3 wrote:
>>> hi guys. when the pflow option first appeared, i was surprised by the
>>> stupidity of those who implemented it- pflow could not be specified
>>> for block-rules, i.e. dropped packets were not taken into account. as
>> hm. you've suffered nine years of this stupidity of others but have not
>> been able to add labels to your block rules?
>> Just as an experiment I added labels to the block rules on my
>> most-easily-reachable-from-here gateway, as in
>> block log (all) label blockgen
>> block drop log (all) quick from <portalbrutes> label portalbrutes
>> block drop log (all) quick from <abusives> label abusives
>> block drop log (all) quick from <webtrash> label webtrash
>> block drop log (all) quick from <bruteforce> label bruteforce
>> block drop log (all) quick from <longterm> label longterm
>> block in log (all) on ! lo0 proto tcp to port 6000:6010 label remotex11
>> and voila, pfctl -sl gives me after a few minutes
>> [Wed Mar 28 16:15:29] peter@skapet:~$ sudo pfctl -vsl
>> blockgen 3739 452 19856 448 19664 4 192 0
>> portalbrutes 3739 0 0 0 0 0 0 0
>> abusives 3739 301 14681 301 14681 0 0 0
>> webtrash 3438 0 0 0 0 0 0 0
>> bruteforce 3438 0 0 0 0 0 0 0
>> longterm 3438 0 0 0 0 0 0 0
>> remotex11 3438 0 0 0 0 0 0 0
>> man pf.conf is your friend, please consult there before letting
>> resentment stew for years next time, huh?
> maybe im so dumb and blind to see pflow here.. and maybe deal not in
> me. where is pflow?
continue your thought. we have the output of the pfctl -vsl command,
which in this form is useless, since the output is needed in the
netflow format. there is a man pflow - one piece(its not clear why we
need it if we abandoned the pflow and went to the output of pfctl
-vsl). how do cooking a netflow stream from this?
No comments:
Post a Comment