Fancy Stuff: Logging
There are several things you need to do if you'd like to view your firewall logs. First, make sure that you've chosen the Logging On Action in at least one of your firewall rules.
Hint: choose wisely when deciding which rules to log; if you log everything, you will have to wade through very large logfiles! If you only want to log when you think there is a problem--for example, one of your applications doesn't seem to work through the firewall--enable logging temporarily for your internet access rule until you've figured out the problem.
Next, make sure that you have
# kldstat | grep pflog 7 1 0xc52d4000 2000 pflog.ko
If you see this,
pflog is good to go. If you only get your prompt back, load the module:
# kldload pflog
... and add these lines to /etc/rc.conf to reload the module at boot time:
pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags=""
If that logfile doesn't already exist, create it:
# touch /var/log/pflog
You should now be able to start
# /etc/rc.d/pflog start Starting pflog. # /etc/rc.d/pflog status pflog is running as pid 95363.
The logfile that this creates is not a text file, meaning you can't read it directly or use a utility such as
tail -f to watch the log.
# tcpdump -n -e -ttt -r /var/log/pflog
To view the file as it grows, use:
# tcpdump -n -e -ttt -i pflog0
Admittedly, those are some pretty long commands just to view a log. This is an excellent time to create some key bindings. These bindings work from a terminal, so I run them from
Alt-F2 instead of the GUI. The first command will bind
Ctrl-L to the command that reads the logfile, and the second command will bind
Ctrl-g to the command that watches the log as it grows:
# bindkey -s "^L" "tcpdump -n -e -ttt -r /var/log/pflog" # bindkey -s "^g" "tcpdump pn -e -ttt -i pflog0"
I find that pressing
Ctrl-g is much quicker. If you prefer to have your bindings work in your GUI, install and configure
Hint: BSD Hacks has more directions for creating shell, terminal, and GUI bindings.
Fancier Stuff: Advanced Logging
Even with key bindings,
tcpdump can still be a little inconvenient; it displays your log entries in pure text. There currently aren't any GUI
pflog entry readers, but you can hack an HTML equivalent that will allow you to view your logs in a browser. Start by installing the
# cd /usr/ports/sysutils/pflogx # make install
Note that I've chosen to install the port, not the binary package, and that I didn't use the
clean target to
make. This is because I want to use an .xls file that doesn't come with the package.
make clean will delete it. Also, during the install, you'll see a menu asking if you want to use Expat; selecting this option will give you the ability to merge logfiles.
Once installed, check out the installed .xsl files:
# ls pflogx/work/xsl export_csv.xsl export_xhtml.xsl last_date.xsl export_html.xsl first_date.xsl
The /usr/local/share/doc/pflogx/README holds directions for using
pflogx and descriptions of each .xsl file.
Here is an example to get you started. Using the logfile as input (
-i), create an XML file as output (
# pflogx -i /var/log/pflog -o ~/log.xml
Copy export_html.xsl to your home directory:
# cp /usr/ports/sysutils/pflogx/work/pflogx/xsl/export_html.xsl ~
Open ~/log.xml in your favourite text editor. The first line should say:
<?xml version="1.0" encoding="UTF-8"?>
Right after that line, add:
<?xml-stylesheet type="text/xsl" href="export_html.xsl"?>
After you save your change, type the full path to log.xml into your browser. You should see something like Figure 3.
I've barely scratched the surface of
pf's features. More advanced users can explore how to integrate these features into fwbuilder. Here is some reading material to get you started:
If you right-click your firewall object and choose Edit, then Firewall Settings, you'll find many interesting tunables. If you wish to implement some
pf features not currently supported by
fwbuilder, such as
carp, experiment with adding the required lines to the Prolog/Epilog tab.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Return to the BSD DevCenter.