|
|||
PF <tables>
I use a very basic pf.conf on a web server to drop known problem IPs
pf.conf: Code:
# Tables: similar to macros, but more flexible for many addresses. table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } table <garbage> persist file "/etc/pf.garbage.txt" table <whitelist> persist file "/etc/pf.whitelist.txt" table <ssh-violations> persist file "/etc/ssh-violations.txt" block in all block drop in quick from <rfc1918> to any block drop in quick from <garbage> to any block drop in quick from <ssh-violations> to any pass in all pfctl -vvv -f /etc/pf.conf ; sleep 90 ; pfctl -vvv -f /etc/pf.conf.open pfctl -vvv -f /etc/pf.conf The problem had nothing to do with any IP in the <garbage> table and the rule was rule was re-enabled. Now when I use "pfctl -t garbage -T show" the table is empty. pfctl -sa -r -vvv | less - loaded rules with line numbers Is this normal or am I missing something ? Thanks |
|
|||
Does the file /etc/pf.garbage.txt actually have anything inside it?
What about the rest of your tables, did they loose any info as well -- what's the output of Code:
# pfctl -vvsTables Code:
# pfctl -Fa -f /etc/pf.conf |
|
|||
<tables>
Thanks for the reply Chris;
I can duplicate what happened and I find it odd to say the least. This is what I did to replicate the table emptying for some reason unknown to me: Added an IP range to <ssh-violations>: pfctl -t ssh-violations -T add 62.141.48.0/20 Ran: pfctl -t ssh-violations -T show --- IP range is there - Commented out <ssh-violations> rule eg: # Tables: similar to macros, but more flexible for many addresses. table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } table <garbage> persist file "/etc/pf.garbage.txt" table <whitelist> persist file "/etc/pf.whitelist.txt" table <ssh-violations> persist file "/etc/ssh-violations.txt" block in all block drop in quick from <rfc1918> to any block drop in quick from <garbage> to any #block drop in quick from <ssh-violations> to any pass in all Tested: pfctl -vvv -f /etc/pf.conf ; sleep 90 ; pfctl -vvv -f /etc/pf.conf.open Loaded: pfctl -vvv -f /etc/pf.conf Ran: pfctl -t ssh-violations -T show --- table is empty!!!! Uncomment <ssh-violations>: block in all block drop in quick from <rfc1918> to any block drop in quick from <garbage> to any block drop in quick from <ssh-violations> to any pass in all Ran, test, loaded and "pfctl -t ssh-violations -T show", table is empty. |
|
|||
As chris asked, do you have anything in the file /etc/pf.garbage.txt?
Perhaps you are misunderstanding how "persist" works, and how "file" works? The "persist" adjective is not about classic object persistence, all it does is ensure that even if no current rules are using a table, that table still gets allocated. It's mostly useful when you are dynamically adding rules with anchors and know you will refer to a table in a future dynamic rule, even though no current rule uses that table. PF will never writeto the file, it only reads from the file, and that only once at the time the rules are loaded/reloaded. If you want to save the table contents to a file and have them survive across rule reloading and across reboots, you need a separate userland script to handle this activity. |
|
|||
" ... do you have anything in the file /etc/pf.garbage.txt?" Yes , IP ranges I have reentered after I found the table to be empty. At one time there was over a thousand IP ranges n the garbage table.
I did think table contents would "survive across rule reloading and across reboots" and that is why I asked, "Is this normal or am I missing something ?" |
|
|||
Forgive me for sounding boring but I just want to make sure we're both understanding each other, what is the output of;
Code:
cat /etc/pf.garbage.txt So, for example, rather than; Code:
pfctl -t ssh-violations -T add 62.141.48.0/20 Code:
echo '62.141.48.0/20' >> /etc/ssh-violations.txt |
|
|||
Not Boring
Thanks Chris, I had the wrong perception of exactly what "persist" ment. I had been using the "pfctl" method of adding IPs to tables and was surprised when I found tables empty after my "test and reload".
I went back to the manpages and found: Quote:
|
|
|||
Yes, you will need to reload PF once you've manually added an IP to a table using echo or something similar. Unless you really need extreme verbose output then just pfctl -f /etc/pf.conf will do as a reload command.
Last edited by chris; 16th July 2008 at 09:40 PM. |
|
|||
Thanks Chris, I'm now desiding which method to use even though I don't really see any difference.
I case your are curious where I get the IP ranges to add to the tables. They come from the Mod_Security log file (modsec_audit.log). Dropping known garbage is a proactive approach and over time it has paid off. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf tables how long values stored | ijk | FreeBSD Security | 3 | 12th August 2008 11:45 AM |