|
|
|||
PF <tables>
I use a very basic pf.conf on a web server to drop known problem IPs
pf.conf: Code:
# Tables: similar to macros, but more flexible for many addresses. table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } table <garbage> persist file "/etc/pf.garbage.txt" table <whitelist> persist file "/etc/pf.whitelist.txt" table <ssh-violations> persist file "/etc/ssh-violations.txt" block in all block drop in quick from <rfc1918> to any block drop in quick from <garbage> to any block drop in quick from <ssh-violations> to any pass in all pfctl -vvv -f /etc/pf.conf ; sleep 90 ; pfctl -vvv -f /etc/pf.conf.open pfctl -vvv -f /etc/pf.conf The problem had nothing to do with any IP in the <garbage> table and the rule was rule was re-enabled. Now when I use "pfctl -t garbage -T show" the table is empty. pfctl -sa -r -vvv | less - loaded rules with line numbers Is this normal or am I missing something ? Thanks |
|
|||
Does the file /etc/pf.garbage.txt actually have anything inside it?
What about the rest of your tables, did they loose any info as well -- what's the output of Code:
# pfctl -vvsTables Code:
# pfctl -Fa -f /etc/pf.conf |
|
|||
<tables>
Thanks for the reply Chris;
I can duplicate what happened and I find it odd to say the least. This is what I did to replicate the table emptying for some reason unknown to me: Added an IP range to <ssh-violations>: pfctl -t ssh-violations -T add 62.141.48.0/20 Ran: pfctl -t ssh-violations -T show --- IP range is there - Commented out <ssh-violations> rule eg: # Tables: similar to macros, but more flexible for many addresses. table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } table <garbage> persist file "/etc/pf.garbage.txt" table <whitelist> persist file "/etc/pf.whitelist.txt" table <ssh-violations> persist file "/etc/ssh-violations.txt" block in all block drop in quick from <rfc1918> to any block drop in quick from <garbage> to any #block drop in quick from <ssh-violations> to any pass in all Tested: pfctl -vvv -f /etc/pf.conf ; sleep 90 ; pfctl -vvv -f /etc/pf.conf.open Loaded: pfctl -vvv -f /etc/pf.conf Ran: pfctl -t ssh-violations -T show --- table is empty!!!! Uncomment <ssh-violations>: block in all block drop in quick from <rfc1918> to any block drop in quick from <garbage> to any block drop in quick from <ssh-violations> to any pass in all Ran, test, loaded and "pfctl -t ssh-violations -T show", table is empty. |
|
|||
As chris asked, do you have anything in the file /etc/pf.garbage.txt?
Perhaps you are misunderstanding how "persist" works, and how "file" works? The "persist" adjective is not about classic object persistence, all it does is ensure that even if no current rules are using a table, that table still gets allocated. It's mostly useful when you are dynamically adding rules with anchors and know you will refer to a table in a future dynamic rule, even though no current rule uses that table. PF will never writeto the file, it only reads from the file, and that only once at the time the rules are loaded/reloaded. If you want to save the table contents to a file and have them survive across rule reloading and across reboots, you need a separate userland script to handle this activity. |
|
|||
" ... do you have anything in the file /etc/pf.garbage.txt?" Yes , IP ranges I have reentered after I found the table to be empty. At one time there was over a thousand IP ranges n the garbage table.
I did think table contents would "survive across rule reloading and across reboots" and that is why I asked, "Is this normal or am I missing something ?" |
|
|||
Forgive me for sounding boring but I just want to make sure we're both understanding each other, what is the output of;
Code:
cat /etc/pf.garbage.txt So, for example, rather than; Code:
pfctl -t ssh-violations -T add 62.141.48.0/20 Code:
echo '62.141.48.0/20' >> /etc/ssh-violations.txt |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf tables how long values stored | ijk | FreeBSD Security | 3 | 12th August 2008 11:45 AM |