pflog interface allows userspace applications to receive
PF's logging data from the kernel.
If PF is enabled when the system is booted, the
pflogd(8) daemon is started.
By default, pflogd listens on the
pflog0 interface and writes
all logged data to the
log keyword must
log keyword causes all packets that match the rule to be
In the case where the rule is creating state,
only the first packet seen (the one that causes the state to be created) will
The options that can be given to the
log keyword are:
pflog0 is created automatically.
log keyword; multiple
options can be separated by a comma or space.
pass in log (all, to pflog1) on egress inet proto tcp to egress port 22
To view the log file:
# tcpdump -n -e -ttt -r /var/log/pflogNote that using tcpdump to watch the pflog file does not give a real-time display. A real-time display of logged packets is achieved by using the
# tcpdump -n -e -ttt -i pflog0When examining the logs, special care should be taken with tcpdump's verbose protocol decoding (activated via the
-v command line option).
tcpdump's protocol decoders do not have a perfect security history.
At least in theory, a delayed attack could be possible via the partial packet
payloads recorded by the logging device.
It is recommended practice to move the log files off of the firewall machine
before examining them in this way.
Additional care should also be taken to secure access to the logs. By default, pflogd will record 160 bytes of the packet in the log file. Access to the logs could provide partial access to sensitive packet payloads.
# tcpdump -n -e -ttt -r /var/log/pflog port 80This can be further refined by limiting the display of packets to a certain host and port combination:
# tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3The same idea can be applied when reading from the
# tcpdump -n -e -ttt -i pflog0 host 192.168.4.2Note that this has no impact on which packets are logged to the pflogd log file; the above commands only display packets as they are being logged.
In addition to using the standard tcpdump(8) filter rules, the tcpdump filter language has been extended for reading pflogd output:
ip - address family is IPv4.
ip6 - address family is IPv6.
on int - packet passed through the interface
ifname int - same as
ruleset name - the
ruleset/anchor that the packet was matched in.
rulenum num - the filter rule that the packet matched
was rule number num.
action act - the action taken on the packet.
Possible actions are
reason res - the reason that
Possible reasons are
inbound - packet was inbound.
outbound - packet was outbound.
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0This display the log, in real-time, of inbound packets that were blocked on the wi0 interface.