diff options
-rw-r--r-- | etc/defaults/rc.conf | 4 | ||||
-rw-r--r-- | etc/newsyslog.conf | 2 | ||||
-rwxr-xr-x | etc/rc.d/Makefile | 2 | ||||
-rw-r--r-- | etc/rc.d/pf | 2 | ||||
-rw-r--r-- | etc/rc.d/pflog | 85 | ||||
-rw-r--r-- | share/man/man5/rc.conf.5 | 39 |
6 files changed, 132 insertions, 2 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index b608858..0e5f10b 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -107,6 +107,10 @@ pf_enable="NO" # Set to YES to enable packet filter (pf) pf_rules="/etc/pf.conf" # rules definition file for pf pf_program="/sbin/pfctl" # where the pfctl program lives pf_flags="" # additional flags for pfctl +pflog_enable="NO" # Set to YES to enable packet filter logging +pflog_logfile="/var/log/pflog" # where pflogd shoule store the logfile +pflog_program="/sbin/pflogd" # where the pflogd program lives +pflog_flags="" # additional flags for pflogd tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). diff --git a/etc/newsyslog.conf b/etc/newsyslog.conf index c5b65d8..75ba197 100644 --- a/etc/newsyslog.conf +++ b/etc/newsyslog.conf @@ -36,3 +36,5 @@ /var/log/weekly.log 640 5 1 $W6D0 JN /var/log/wtmp 644 3 * @01T05 B /var/log/xferlog 600 7 100 * J +# pflogd sample entry +#/var/log/pflog 600 3 100 * JB /var/run/pflogd.pid diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 2e087a8..852cf12 100755 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -25,7 +25,7 @@ FILES= DAEMON LOGIN NETWORKING SERVERS \ network_ipv6 nfsclient nfsd \ nfslocking nfsserver nisdomain ntpd ntpdate \ othermta \ - pccard pcvt pf power_profile ppp-user pppoed pwcheck \ + pccard pcvt pf pflog power_profile ppp-user pppoed pwcheck \ quota \ random rarpd rcconf.sh resolv root \ route6d routed routing rpcbind rtadvd rwho \ diff --git a/etc/rc.d/pf b/etc/rc.d/pf index f8fabd0..c2f387b 100644 --- a/etc/rc.d/pf +++ b/etc/rc.d/pf @@ -4,7 +4,7 @@ # # PROVIDE: pf -# REQUIRE: root beforenetlkm mountcritlocal netif +# REQUIRE: root beforenetlkm mountcritlocal netif pflog # BEFORE: DAEMON LOGIN # KEYWORD: FreeBSD nojail diff --git a/etc/rc.d/pflog b/etc/rc.d/pflog new file mode 100644 index 0000000..3a40525 --- /dev/null +++ b/etc/rc.d/pflog @@ -0,0 +1,85 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: pflog +# REQUIRE: root beforenetlkm mountcritlocal netif +# BEFORE: DAEMON LOGIN +# KEYWORD: FreeBSD nojail + +. /etc/rc.subr + +name="pflog" +rcvar=`set_rcvar` +load_rc_config $name +stop_precmd="test -x ${pflog_program}" +start_precmd="pflog_prestart" +start_cmd="pflog_start" +stop_cmd="pflog_stop" +resync_precmd="$stop_precmd" +resync_cmd="pflog_resync" +status_precmd="$stop_precmd" +status_cmd="pflog_status" +extra_commands="resync status" + +pflog_prestart() +{ + # load pflog kernel module if needed + if ! kldstat -v | grep -q pflog\$; then + if kldload pflog; then + info 'pflog module loaded.' + else + err 1 'pflog module failed to load.' + fi + fi + + # set pflog0 interface to up state + if ! ifconfig pflog0 up; then + warn 'pflog: COULD NOT SET UP pflog0' + fi + + # check for pf rules + if [ ! -x "${pflog_program:-/sbin/pflogd}" ] + then + warn 'pflog: NO PFLOGD BINARY FOUND' + return 1 + fi +} + +pflog_start() +{ + echo -n "Enabling pflogd" + if ! ${pflog_program:-/sbin/pflogd} ${pflog_flags} \ + -f ${pflog_logfile:-/var/log/pflog}; then + echo " failed!" + else + echo "." + fi +} + +pflog_stop() +{ + if [ -r /var/run/pflogd.pid ]; then + echo "Stopping pflogd." + kill `cat /var/run/pflogd.pid` + fi +} + +pflog_resync() +{ + if [ -r /var/run/pflogd.pid ]; then + kill -SIGHUP `cat /var/run/pflogd.pid` + fi +} + +pflog_status() +{ + if [ -r /var/run/pflogd.pid ]; then + ps -p `cat /var/run/pflogd.pid` | tail -n 1 + else + echo 'pflogd not running.' + fi +} + +run_rc_command "$1" diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 5957c3b..0430a5a 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -718,6 +718,44 @@ is set to these flags are passed to the .Xr pfctl 8 program when loading the ruleset. +.It Va pflog_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables +.Xr pflogd 8 +which logs packtes from the +.Xr pf 4 +packet filter. +.It Va pflog_logfile +.Pq Vt str +If +.Va pflog_enable +is set to +.Dq Li YES +this controls where +.Xr pflogd 8 +stores the logfile. +(default +.Pa /var/log/pflog ) . +Check +.Pa /etc/newsyslog.conf +to enable logfile rotation for this. +.It Va pflog_program +.Pq Vt str +Path to +.Xr pflogd 8 +(default +.Pa /sbin/pflogd ) . +.It Va pflog_flags +.Pq Vt str +Empty by default. +This variable contains additional flags passed to the +.Xr pflogd 8 +program. .It Va tcp_extensions .Pq Vt bool Set to @@ -2910,6 +2948,7 @@ sessions. .Xr udp 4 , .Xr exports 5 , .Xr motd 5 , +.Xr newsyslog.conf 5 , .Xr accton 8 , .Xr amd 8 , .Xr apm 8 , |