BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Sharing Internet Connections
Pages: 1, 2, 3

Fancy Stuff: Logging

There are several things you need to do if you'd like to view your firewall logs. First, make sure that you've chosen the Logging On Action in at least one of your firewall rules.

Hint: choose wisely when deciding which rules to log; if you log everything, you will have to wade through very large logfiles! If you only want to log when you think there is a problem--for example, one of your applications doesn't seem to work through the firewall--enable logging temporarily for your internet access rule until you've figured out the problem.

Next, make sure that you have pflog loaded:

# kldstat | grep pflog
7    1 0xc52d4000 2000   pflog.ko

If you see this, pflog is good to go. If you only get your prompt back, load the module:

# kldload pflog

... and add these lines to /etc/rc.conf to reload the module at boot time:


If that logfile doesn't already exist, create it:

# touch /var/log/pflog

You should now be able to start pflog:

# /etc/rc.d/pflog start
Starting pflog.

# /etc/rc.d/pflog status
pflog is running as pid 95363.

The logfile that this creates is not a text file, meaning you can't read it directly or use a utility such as tail -f to watch the log.

Instead, use tcpdump:

# tcpdump -n -e -ttt -r /var/log/pflog

To view the file as it grows, use:

# tcpdump -n -e -ttt -i pflog0

Admittedly, those are some pretty long commands just to view a log. This is an excellent time to create some key bindings. These bindings work from a terminal, so I run them from Alt-F2 instead of the GUI. The first command will bind Ctrl-L to the command that reads the logfile, and the second command will bind Ctrl-g to the command that watches the log as it grows:

# bindkey -s "^L" "tcpdump -n -e -ttt -r /var/log/pflog"
# bindkey -s "^g" "tcpdump pn -e -ttt -i pflog0"

I find that pressing Ctrl-L or Ctrl-g is much quicker. If you prefer to have your bindings work in your GUI, install and configure xbindkeys_config.

Hint: BSD Hacks has more directions for creating shell, terminal, and GUI bindings.

Fancier Stuff: Advanced Logging

Even with key bindings, tcpdump can still be a little inconvenient; it displays your log entries in pure text. There currently aren't any GUI pflog entry readers, but you can hack an HTML equivalent that will allow you to view your logs in a browser. Start by installing the pflogx utility:

# cd /usr/ports/sysutils/pflogx
# make install

Note that I've chosen to install the port, not the binary package, and that I didn't use the clean target to make. This is because I want to use an .xls file that doesn't come with the package. make clean will delete it. Also, during the install, you'll see a menu asking if you want to use Expat; selecting this option will give you the ability to merge logfiles.

Once installed, check out the installed .xsl files:

# ls pflogx/work/xsl
export_csv.xsl        export_xhtml.xsl    last_date.xsl
export_html.xsl        first_date.xsl

The /usr/local/share/doc/pflogx/README holds directions for using pflogx and descriptions of each .xsl file.

Here is an example to get you started. Using the logfile as input (-i), create an XML file as output (-o):

# pflogx -i /var/log/pflog -o ~/log.xml

Copy export_html.xsl to your home directory:

# cp /usr/ports/sysutils/pflogx/work/pflogx/xsl/export_html.xsl ~

Open ~/log.xml in your favourite text editor. The first line should say:

<?xml version="1.0" encoding="UTF-8"?>

Right after that line, add:

<?xml-stylesheet type="text/xsl" href="export_html.xsl"?>

After you save your change, type the full path to log.xml into your browser. You should see something like Figure 3.

Thumbnail, click for full-size image.
Figure 3. An HTML firewall log report (Click for full-size image)

Suggested Reading

I've barely scratched the surface of pf's features. More advanced users can explore how to integrate these features into fwbuilder. Here is some reading material to get you started:

If you right-click your firewall object and choose Edit, then Firewall Settings, you'll find many interesting tunables. If you wish to implement some pf features not currently supported by fwbuilder, such as altq or carp, experiment with adding the required lines to the Prolog/Epilog tab.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Return to the BSD DevCenter.

Sponsored by: