Command line.



  • Is it possible to view blacked traffic via command line. pfTop is available but I cannot see a way of viewing the blocked traffic.

    I just though this may be useful for generating blacklists etc whilst also being interested as to who the offending IP's are.

    Any ideas

    Regards

    Sam



  • something like:
    pfctl -s rules -v | more
    might be helpful. Complete options should be here: http://www.freebsd.org/cgi/man.cgi?query=pfctl&manpath=FreeBSD+7.0-RELEASE
    It might be easier to log the rule you are interested in and use the gui or syslogs.


  • Rebel Alliance Developer Netgate

    You can "tail" the filter log on the command line, which should show blocked packets, like so:

    clog -f /var/log/filter.log
    

    Be aware that this will first print the entire contents of the log and then follow it, much like tail -f.



  • Many thanks for the reply jimp,

    It works but do you know a way of just viewing the IP addresses?. The file moves pretty quickly and it would be nice to have a list of offending ip addresses to take appropriate action against.

    Any ideas?

    Thanks everybody for the help so far.



  • Did you take a look at Status/System Logs/Firewall?  This file is also available 'in the raw' somewhere, I'm not sure the path though…perhaps someone can enlighten us.  Sounds like you might also be interested in the Snort package.


  • Rebel Alliance Developer Netgate

    The filter log is the raw log, there is no parsed copy that is kept anywhere.

    You'd have to pass the log through some kind of filtering/parsing program to show only the IP addresses. Not sure if there is anything out there that will do it, but someone might be able to work up some perl or sed/awk mojo to get it done.



  • Thanks jimp,

    I think I'm barking up the wrong tree and there must be tools available for log analysis. It would have been nice to have a basic command line real time log to view the baddies. I would then just add them once in a while to the block list. Alternatively I'm sure there is somewhere on the internet that lists prone spammers etc.

    I will continue my journey.

    I would think that snort needed installing on a seperate machine and the use of snort2pfsense implemented. To be honest the chances of me getting that all working at the moment are fairly slim. My time is limited and my knowledge of linux skills are also not brilliant but I am learning slowly but surely.

    http://www.bellera.cat/josep/snort2pfsense/

    Cheers

    Sam


  • Rebel Alliance Developer Netgate

    With my recent changes to the dashboard it was actually fairly trivial to write a CLI log parser. It just reads from STDIN and uses the existing log parsing functions.

    I'll see if I can get it polished up and into the next dashboard package. It may not really belong there, per se, but since it requires changes I just made, it may be unavoidable.

    Be on the lookout for dashboard-0.7.4 on the package list by the end of the weekend.



  • Many thanks jimp,

    I'm not entirely sure what the dashboard is for but any further help with this subject would be appreciated. Forgive my ingnorance, I looked up the dashboard under packages and could not find any info on it.

    Regards

    Sam


  • Rebel Alliance Developer Netgate

    The dashboard package replaces the main page of the pfSense router with a fancier version that has customizable widgets. There are widgets that show system information, traffic graphs, firewall logs, interface status, service status, and more.

    For a while the filter log part of the dashboard was broken, and I made some changes to the code that fixed it. As a part of those changes, I also added the command line parser I mentioned.

    The version with the CLI parser should be online now, I posted it late Saturday night.


Log in to reply