Logging pflog via syslog on FreeBSD 9.3
I've recently started looking into using pf instead of ipfw on FreeBSD. pf is looking good so far, with what appears to be a generally more advanced handling of stateful connections than ipfw has. The only thing that was bothering me is the completely unusual approach pf takes to logging, using a pflog pseudo interface for logging and then having pflogd dump the logs in raw format to files that can later be read with tcpdump. As someone who likes syslog and the centralized logging it provides, this was not really something that struck me as a very useful solution.
However, it turns out dumping the log directly from pflog to syslog is actually fairly easy to do and the process can be daemonized and ran as a proper service easily using the base system functionality.
Adding this simple rc script (let's call it pfsyslog) to /usr/local/etc/rc.d:
#!/bin/sh
#
# PROVIDE: pfsyslog
# REQUIRE: FILESYSTEMS netif FILESYSTEMS pflog
# KEYWORD: nojail
. /etc/rc.subr
name="pfsyslog"
rcvar="pfsyslog_enable"
load_rc_config $name
pidfile="/var/run/pfsyslog.pid"
command="/usr/sbin/daemon"
command_args="-cfr -p \"/var/run/pfsyslog_child.pid\" -P ${pidfile} /bin/sh -c \"tcpdump -nle -t -i pflog0 | logger -t pf -p local0.info\""
run_rc_command "$1"
... and then, this line to /etc/rc.conf:
pfsyslog_enable="YES"... will do the trick. Note that this script still depends on having enabled pflog in rc.conf. To run with pflogd completely turned off, the above script needs to be modified in order to bring up pflog0 before starting logging. This can easily be achieved by copying the relevant parts from /etc/rc.d/pflog.
Posted on the 08-09-2014 18:59