[FUG-BR] tcpdump e pflog0 com poucos dados
Enio Marconcini
eniorm em gmail.com
Sábado Novembro 21 10:11:01 BRST 2009
2009/11/20 Giancarlo Rubio <gianrubio em gmail.com>
> poste seu pf.conf inteiro
>
> 2009/11/20 Enio Marconcini <eniorm em gmail.com>
>
> > 2009/11/20 Amim <octopusillusion em gmail.com>
> >
> > > Se tu debugar a regra tu consegue ver se existe mesmo algum pacote
> saindo
> > > por ela?
> > >
> > > Acredito que tu tenha um pass sem o LOG antes dessa regra e que teus
> > > pacotes tão saindo por ali.
> > >
> > > --
> > > Amim
> > >
> > > 2009/11/20 Enio Marconcini <eniorm em gmail.com>
> > >
> > >> 2009/11/20 Giancarlo Rubio <gianrubio em gmail.com>
> > >>
> > >>
> > >> > Tente adicionar no fim das suas regras
> > >> > block log quick from any to any
> > >> >
> > >> > e troque sua regra inicial de block log all para apenas block
> > >> >
> > >> >
> > >> > 2
> > >> >
> > >> >
> > >> > --
> > >> > Giancarlo Rubio
> > >> > -------------------------
> > >> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > >> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> > >> >
> > >>
> > >> fiz dessa forma, nada tbm
> > >>
> > >> só mostra isso
> > >>
> > >> tcpdump: WARNING: pflog0: no IPv4 address assigned
> > >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> > decode
> > >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size
> > 68
> > >> bytes
> > >> 000000 rule 12/0(match): pass out on re1: [|ip]
> > >> 000521 rule 44/0(match): block in on re1: [|ip]
> > >> 2. 201811 rule 44/0(match): block in on re1: [|ip]
> > >> 8. 363237 rule 44/0(match): block in on re1: [|ip]
> > >> 000108 rule 44/0(match): block in on re1: [|ip]
> > >> 000028 rule 44/0(match): block in on re1: [|ip]
> > >> 000006 rule 44/0(match): block in on re1: [|ip]
> > >> 30. 996715 rule 44/0(match): block in on re1: [|ip]
> > >> 000009 rule 44/0(match): block in on re1: [|ip]
> > >> 000021 rule 44/0(match): block in on re1: [|ip]
> > >> 000019 rule 44/0(match): block in on re1: [|ip]
> > >>
> > >>
> > >>
> > >> --
> > >> ENIO RODRIGO MARCONCINI
> > >> gtalk: eniorm em gmail.com
> > >> skype: eniorm
> > >> msn: /dev/null
> > >>
> > >> > FreeBSD -:- OpenBSD -:-
> > >> > Coleções Marcas de Cigarros
> > >> < Obi-Wan has taught you well....
> > >> -------------------------
> > >> Histórico: http://www.fug.com.br/historico/html/freebsd/
> > >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> > >>
> > >
> > >
> >
> > o fluxo existe porém o tcpdump aparentemente está exibindo os dados não
> > indorretos, mas faltando informação
> >
> > 2009-11-20 13:46:19.567293 rule 0/0(match): block in on re1: [|ip]
> > 2009-11-20 13:46:19.567326 rule 0/0(match): block in on re1: [|ip]
> > 2009-11-20 13:46:28.971898 rule 31/0(match): pass in on re1: [|ip]
> > 2009-11-20 13:46:29.101700 rule 31/0(match): pass in on re1: [|ip]
> > 2009-11-20 13:46:41.066787 rule 31/0(match): pass in on re1: [|ip]
> > 2009-11-20 13:46:50.565130 rule 0/0(match): block in on re1: [|ip]
> > 2009-11-20 13:46:50.565222 rule 0/0(match): block in on re1: [|ip]
> > 2009-11-20 13:46:50.565241 rule 0/0(match): block in on re1: [|ip]
> > 2009-11-20 13:46:50.565259 rule 0/0(match): block in on re1: [|ip]
> > 2009-11-20 13:46:51.752977 rule 5/0(match): pass out on re1: [|ip]
> > 2009-11-20 13:46:51.753013 rule 30/0(match): pass in on re1: [|ip]
> > 2009-11-20 13:46:51.753765 rule 30/0(match): pass in on re1: [|ip]
> > 2009-11-20 13:46:56.595686 rule 30/0(match): pass in on re1: [|ip]
> >
> >
> > note que tem os registros de block ou pass, normais das minhas regras,
> > porém
> > as linhas nao trazem de onde e para onde (ip e porta)
> >
> >
> >
> >
> > --
> > ENIO RODRIGO MARCONCINI
> > gtalk: eniorm em gmail.com
> > skype: eniorm
> > msn: /dev/null
> >
> > > FreeBSD -:- OpenBSD -:-
> > > Coleções Marcas de Cigarros
> > < Obi-Wan has taught you well....
> > -------------------------
> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >
>
>
>
> --
> Giancarlo Rubio
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
ahhh o mais estranho eu notei hoje
um tcpdump -ttt -n -e -r /var/log/pflog
apresenta os dados completos:
2009-11-21 10:07:53.517997 rule 38/0(match): pass in on re1: 192.168.0.1.138
> 192.168.0.255.138: NBT UDP PACKET(138)
2009-11-21 10:07:53.518037 rule 37/0(match): pass in on re1: 192.168.0.3.137
> 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
2009-11-21 10:07:53.518172 rule 37/0(match): pass in on re1: 192.168.0.5.137
> 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
2009-11-21 10:08:15.398729 rule 38/0(match): pass in on re1:
192.168.0.41.138 > 192.168.0.255.138: NBT UDP PACKET(138)
2009-11-21 10:08:15.408985 rule 0/0(match): block in on re1: 192.168.0.3.631
> 255.255.255.255.631: UDP, length 165
2009-11-21 10:08:15.409070 rule 0/0(match): block in on re1: 192.168.0.3.631
> 192.168.0.255.631: UDP, length 161
2009-11-21 10:08:15.409088 rule 0/0(match): block in on re1: 192.168.0.3.631
> 192.168.0.255.631: UDP, length 161
2009-11-21 10:08:15.409107 rule 0/0(match): block in on re1: 192.168.0.3.631
> 192.168.0.255.631: UDP, length 165
--
ENIO RODRIGO MARCONCINI
gtalk: eniorm em gmail.com
skype: eniorm
msn: /dev/null
> FreeBSD -:- OpenBSD -:-
> Coleções Marcas de Cigarros
< Obi-Wan has taught you well....
Mais detalhes sobre a lista de discussão freebsd