diff options
author | mlaier <mlaier@FreeBSD.org> | 2007-07-03 12:30:03 +0000 |
---|---|---|
committer | mlaier <mlaier@FreeBSD.org> | 2007-07-03 12:30:03 +0000 |
commit | edb0b6417988e1d0a2c39481b4ca6c7c2005ed9e (patch) | |
tree | c0024fcd4a5dafb6f9b2cf493310b65dbd5df8e6 /contrib/pf/pflogd/pflogd.8 | |
parent | d1f1f8d084d2091974a8e980ff26076ab5252319 (diff) | |
download | FreeBSD-src-edb0b6417988e1d0a2c39481b4ca6c7c2005ed9e.zip FreeBSD-src-edb0b6417988e1d0a2c39481b4ca6c7c2005ed9e.tar.gz |
Commit resolved import of OpenBSD 4.1 pf userland from perforce.
Approved by: re (kensmith)
Diffstat (limited to 'contrib/pf/pflogd/pflogd.8')
-rw-r--r-- | contrib/pf/pflogd/pflogd.8 | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/contrib/pf/pflogd/pflogd.8 b/contrib/pf/pflogd/pflogd.8 index 0eef77b..22643fc 100644 --- a/contrib/pf/pflogd/pflogd.8 +++ b/contrib/pf/pflogd/pflogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.25 2005/01/02 18:15:02 jmc Exp $ +.\" $OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -37,14 +37,17 @@ .Op Fl Dx .Op Fl d Ar delay .Op Fl f Ar filename +.Op Fl i Ar interface .Op Fl s Ar snaplen .Op Ar expression .Sh DESCRIPTION .Nm is a background daemon which reads packets logged by .Xr pf 4 -to the packet logging interface -.Pa pflog0 +to a +.Xr pflog 4 +interface, normally +.Pa pflog0 , and writes the packets to a logfile (normally .Pa /var/log/pflog ) in @@ -83,7 +86,9 @@ temporarily uses the old snaplen to keep the log file consistent. tries to preserve the integrity of the log file against I/O errors. Furthermore, integrity of an existing log file is verified before appending. -If there is an invalid log file or an I/O error, logging is suspended until a +If there is an invalid log file or an I/O error, the log file is moved +out of the way and a new one is created. +If a new file cannot be created, logging is suspended until a .Dv SIGHUP or a .Dv SIGALRM @@ -103,11 +108,19 @@ If not specified, the default is 60 seconds. Log output filename. Default is .Pa /var/log/pflog . +.It Fl i Ar interface +Specifies the +.Xr pflog 4 +interface to use. +By default, +.Nm +will use +.Ar pflog0 . .It Fl s Ar snaplen Analyze at most the first .Ar snaplen -bytes of data from each packet rather than the default of 96. -The default of 96 is adequate for IP, ICMP, TCP, and UDP headers but may +bytes of data from each packet rather than the default of 116. +The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may truncate protocol information for other protocols. Other file parsers may desire a higher snaplen. .It Fl x @@ -131,6 +144,13 @@ Log specific tcp packets to a different log file with a large snaplen # pflogd -s 1600 -f suspicious.log port 80 and host evilhost .Ed .Pp +Log from another +.Xr pflog 4 +interface, excluding specific packets: +.Bd -literal -offset indent +# pflogd -i pflog3 -f network3.log "not (tcp and port 23)" +.Ed +.Pp Display binary logs: .Bd -literal -offset indent # tcpdump -n -e -ttt -r /var/log/pflog @@ -150,7 +170,7 @@ Tcpdump can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action. .Pp -.Bl -tag -width "reason match " -compact +.Bl -tag -width "ruleset authpf " -compact .It ip Address family equals IPv4. .It ip6 @@ -159,12 +179,16 @@ Address family equals IPv6. Interface name equals "kue0". .It on kue0 Interface name equals "kue0". +.It ruleset authpf +Ruleset name equals "authpf". .It rulenum 10 Rule number equals 10. .It reason match Reason equals match. Also accepts "bad-offset", "fragment", "bad-timestamp", "short", -"normalize" and "memory". +"normalize", "memory", "congestion", "ip-option", "proto-cksum", +"state-mismatch", "state-insert", "state-limit", "src-limit", +and "synproxy". .It action pass Action equals pass. Also accepts "block". @@ -192,4 +216,6 @@ The command appeared in .Ox 3.0 . .Sh AUTHORS -Can Erkin Acar +.Nm +was written by +.An Can Erkin Acar Aq canacar@openbsd.org . |