Re: Trying to start NPF

To: Todd Gruhn <tgruhn2%gmail.com@localhost>
Subject: Re: Trying to start NPF
From: Brad Spencer <brad%anduin.eldar.org@localhost>
Date: Tue, 09 Jul 2024 20:03:35 -0400

Todd Gruhn <tgruhn2%gmail.com@localhost> writes:

> Logging.
>    can I set/use   npf.log?
>
>     Do I need to add a line to syslog.conf ?
>     I used this to tell ipf to log-here.
>
> Why cant I see either ipf/npf when I do  'ps -aux' ?

IPF and NPF log in very different ways.

For NPF you need to put this:

procedure "log" {
          log: npflog0
}

in your /etc/npf.conf file and then on every rule you want to have a log
entry you put a 'apply "log"' directive.  Something like this:

block out family inet4 to any port $xennet4_tcp_udp apply "log"

I believe that there are examples in the npf.conf(5) man page and
/usr/share/examples/npf.

With the above, you will get another network interface called npflog0
that you can tcpdump against and see what was logged, as NPF logs actual
packets.  There is no text file output and nothing for syslog.  If you
want a file to automatically be created, you can run npfd.  See the
npfd(8) man page for examples on how to do this.  This will create a
binary file that you can feed into tcpdump to decode the logged packet.
Again, there is no text output.  With NPF, what is logged is the actual
packet, plus some additional meta data about which rule fired.  See the
man pages for more information.

For IPF, the logging is done with ipmon which can be instructed to log
to a certain syslog facility, which can be put into a file, or whatever,
by syslogd.

In either the NPF or IPF case, there won't be a daemon running for the
firewall / NAT parts.  For NPF, there might not be a daemon running for
logging either, if you don't case about file output.  If your only
interest is in real time logs then just tcpdump the npflog interface.
Note that since this is a NIC, more than one process can tcpdump it and
nothing will be lost.  For IPF, ipmon has to be running correctly to get
log output and only one ipmon can be running.  If you have more than one
running, they will steal information from each other (like say, you have
one running the output to a file and one running the output to stdout,
you won't get everything from either of them).

For NPF, you can do some clever stuff with tcpdump against the npflog
interface where that output is piped into something else and maybe, for
example, sent to Elasticsearch to be viewed and digested in detail.  For
IPF, the same thing can happen with ipmon, which can send its output to
stdout and onto something, for example, like Elasticsearch.
Etc.. etc.. etc..

-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org

Follow-Ups:
- Re: Trying to start NPF
  - From: Todd Gruhn

References:
- Trying to start NPF
  - From: Todd Gruhn

Prev by Date: Trying to start NPF
Next by Date: Re: CD-ROM block size
Previous by Thread: Trying to start NPF
Next by Thread: Re: Trying to start NPF
Indexes:

Home | Main Index | Thread Index | Old Index