[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: VPN client cannot connect through OpenBSD router/firewall
On Tue, Jan 18, 2005 at 09:56:03AM -0600, Rick Barter wrote:
> Why would I not see the dropped packets in my log file (pflog0).
in this case i think you would. i looked back at the original
pf.conf you posted that the other fellow replied to and the
'block all' didn't have the "$log_flg" in it (cute idea, btw)...
is it possible that you weren't seeing them before, but added
the $log_flg to this pf.conf after the problem?
eg - with 'block $log_flg all', are you seeing any currently
happening filtering problems show up in the log, or currently
experiencing filtering problems which are not showing in the log?
if problems w/o log evidence, there has to be another matching rule
(likely before one of your quicks) which doesn't log. as long as
pf is enabled, 'block $log_flg all' will apply to every interface that pf has
jurisdiction over ( which is what... all of them? :P ). as long as that
is the first filter rule, you ensure that unless you have later
matching rules which act upon a packet (either pass or block),
each packet pf can see will both be logged and blocked.
> Should I be setting pflog0 as my loginterface instead of fxp0?
nope, 'loginterface' is for the interface pf collects
operational statistics on ( eg pfctl -si ). i believe
the interface name and number, pflog0, are hardcoded.
then pflogd(8) listens to pflog0 and redirects that
down into /var/log/pflog ( by default ).
[ openbsd 3.6 GENERIC ( dec 11 ) // i386 ]