|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|
|||
pfctl anchors manipulation clarification on 4.7
Hi,
I have been playing with anchors lately and I am missing some thing. The machine is "4.7 GENERIC#558 i386" The pf.conf is Code:
int_if="vr0" ext_ifA="sk0" ext_ifT="vr1" set loginterface sk0 set skip on lo match out on $ext_ifA inet from $int_if:network \ to any nat-to ($ext_ifA) match out on $ext_ifT inet from $int_if:network \ to any nat-to ($ext_ifT) block in log (all) anchor atelonly load anchor atelonly from "/etc/pf-confs/anchor-atelonly" anchor tataonly anchor atelandtata pass in log (all, to pflog1) on $int_if Code:
# pfctl -sr match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin block drop in log (all) all anchor "atelonly" all anchor "tataonly" all anchor "atelandtata" all pass in log (all, to pflog1) on vr0 all flags S/SA keep state # pfctl -sA atelandtata atelonly tataonly # pfctl -a atelandtata -sr # pfctl -a tataonly -sr # pfctl -a atelonly -sr pass out log (all, to pflog2) quick on sk0 all flags S/SA keep state # Code:
pflog1: flags=41<UP,RUNNING> mtu 33200 priority: 0 groups: pflog pflog2: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog pflog3: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog pflog4: flags=41<UP,RUNNING> mtu 33200 priority: 0 groups: pflog pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog internet. Fine :-) now I run the following commands to stop traffic to the internet through sk0 and use the second internet connection instead. So my idea is to 1) change the default route to that of the second internet connection by #route change -inet default 1ss.2ee.1ff.1 2) Load the ahcnor tataonly with rules from Code:
# cat /etc/pf-confs/anchor-tataonly ext_ifT="vr1" pass out log (all, to pflog3) quick on $ext_ifT #pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly" 3) clear rules and states created by them from anchor "atelonly" by #pfctl -a atelonly -F all Now I execute the following commands and these are the outputs Code:
# route change -inet default 121.247.145.1 change net default: gateway 121.247.145.1 # pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly" # pfctl -a atelonly -F all rules cleared 0 tables deleted. # -F all Flush all of the above. ( i.e including states ) -a anchor Apply flags -f, -F, and -s only to the rules in the specified anchor. So as said the rules in the anchor atelonly is flushed Code:
# pfctl -sr match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin block drop in log (all) all anchor "atelonly" all anchor "tataonly" all anchor "atelandtata" all pass in log (all, to pflog1) on vr0 all flags S/SA keep state # pfctl -a atelonly -sr # pfctl -a tataonly -sr pass out log (all, to pflog3) quick on vr1 all flags S/SA keep state # but there is still traffic going out through the insternet through sk0 which can be seen in pflog2. So I guess the states made by those rules in the anchor "atelonly" were not cleared? How do I clear only those states? I now tried doing a Code:
# pfctl -a atelonly -F states 1469 states cleared Code:
# pfctl -a atelonly -F all Is it because it clears all the states instead on the ones created by "-a atelonly" ? How do I flush just the states created by an anchor ruleset when I flush them? anchor "atelandtata" holds nothing now but if I do a #pfctl -a atelandtata -ss it shows all the states. but the man page says -a anchor Apply flags -f, -F, and -s only to the rules in the specified anchor. Am I misunderstanding the wordings by some means? Could some one please explain? Thanks :-) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Blinkenlights for all: Cisco's building automation system vulnerable to manipulation | J65nko | News | 0 | 27th May 2010 04:26 PM |
flush states pfctl | joostvgh | OpenBSD Security | 3 | 27th January 2010 06:50 PM |
pfctl -s info counters don't change | audio | FreeBSD Security | 2 | 16th July 2008 11:01 PM |