Re: Trying to start NPF

To: Brad Spencer <brad%anduin.eldar.org@localhost>
Subject: Re: Trying to start NPF
From: Todd Gruhn <tgruhn2%gmail.com@localhost>
Date: Tue, 9 Jul 2024 22:55:03 +0000

I am using /usr/share/examples/npf/host-npf.conf

Is there a nice to test this thing?

On Wed, Jul 10, 2024 at 12:03 AM Brad Spencer <brad%anduin.eldar.org@localhost> wrote:
>
> Todd Gruhn <tgruhn2%gmail.com@localhost> writes:
>
> > Logging.
> >    can I set/use   npf.log?
> >
> >     Do I need to add a line to syslog.conf ?
> >     I used this to tell ipf to log-here.
> >
> > Why cant I see either ipf/npf when I do  'ps -aux' ?
>
>
> IPF and NPF log in very different ways.
>
> For NPF you need to put this:
>
> procedure "log" {
>           log: npflog0
> }
>
> in your /etc/npf.conf file and then on every rule you want to have a log
> entry you put a 'apply "log"' directive.  Something like this:
>
> block out family inet4 to any port $xennet4_tcp_udp apply "log"
>
> I believe that there are examples in the npf.conf(5) man page and
> /usr/share/examples/npf.
>
> With the above, you will get another network interface called npflog0
> that you can tcpdump against and see what was logged, as NPF logs actual
> packets.  There is no text file output and nothing for syslog.  If you
> want a file to automatically be created, you can run npfd.  See the
> npfd(8) man page for examples on how to do this.  This will create a
> binary file that you can feed into tcpdump to decode the logged packet.
> Again, there is no text output.  With NPF, what is logged is the actual
> packet, plus some additional meta data about which rule fired.  See the
> man pages for more information.
>
> For IPF, the logging is done with ipmon which can be instructed to log
> to a certain syslog facility, which can be put into a file, or whatever,
> by syslogd.
>
>
> In either the NPF or IPF case, there won't be a daemon running for the
> firewall / NAT parts.  For NPF, there might not be a daemon running for
> logging either, if you don't case about file output.  If your only
> interest is in real time logs then just tcpdump the npflog interface.
> Note that since this is a NIC, more than one process can tcpdump it and
> nothing will be lost.  For IPF, ipmon has to be running correctly to get
> log output and only one ipmon can be running.  If you have more than one
> running, they will steal information from each other (like say, you have
> one running the output to a file and one running the output to stdout,
> you won't get everything from either of them).
>
> For NPF, you can do some clever stuff with tcpdump against the npflog
> interface where that output is piped into something else and maybe, for
> example, sent to Elasticsearch to be viewed and digested in detail.  For
> IPF, the same thing can happen with ipmon, which can send its output to
> stdout and onto something, for example, like Elasticsearch.
> Etc.. etc.. etc..
>
>
>
>
>
>
> --
> Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org
>

Follow-Ups:
- Re: Trying to start NPF
  - From: Brad Spencer

References:
- Trying to start NPF
  - From: Todd Gruhn
- Re: Trying to start NPF
  - From: Brad Spencer

Prev by Date: Re: CD-ROM block size
Next by Date: Re: Trying to start NPF
Previous by Thread: Re: Trying to start NPF
Next by Thread: Re: Trying to start NPF
Indexes:

Home | Main Index | Thread Index | Old Index