Re: log vs keep state

> On Sun, May 14, 2006 at 09:39:28PM +1000, Darren Reed wrote:
> > I believe this does what you want:
> > pass in log on foo0 proto tcp all flags S keep state
>
> That does what I want, thank you!
>
> I notice that ipfstat reports a high number in "log failures:". If I
> read NetBSD 3.0 correctly, ipl keeps up to 8 packets logged at once, and
> ipmon just isn't keeping up.
>
> I was hoping to use this for multiple things, most importantly a log of
> every NAT'ed TCP connection and UDP packet. It would also be nice to
> use it for accounting (ie: How many bytes did such-and-such machine
> transfer, and at what times, and to which other machines?) So I want to
> keep holes to an absolute minimum.
>
> Can you offer advice? I am not sure whether to increase the size of the
> log buffer, to use tcpdump instead, or to do something else altogether.

Try using:

ipmon -o NS

instead of the rule above.

Darren