DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th July 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Shell functions to (re)load and view pf.conf rules in an anchor

Three short easy to type commands that help in debugging anchor rules for the OpenBSD pf packet filter.
To load or source these functions into your shell use the "." dot command
Code:
#   . ./anchor_load.function
The help message that is displayed:
Code:
(1) Function 'ra' first flushes the rules, then loads a rule set in a pf anchor.
    Variables used:

       Exported shell variable ANCHOR           : vm
       The name of the pf anchor in your rule set

       Exported shell variable APF (Anchor PF)  : monkey.pf
       File name of the pf ruleset to be loaded into the anchor

    To change these variables to another value:

     # ANCHOR=wireguard 
     # APF=wg_anchor1

(2) Function 'fa' flushes (deletes) the anchor

(3) Function 'sas' shows the anchor rules with statistics
Showing these functions in action:
Code:
lenap# echo $ANCHOR
vm
lenap# echo $APF    
monkey.pf
lenap# cat monkey.pf                                                                                                 
pass log all

lenap# ra
Flushing anchor vm ....
0 tables deleted.
rules cleared
Loading rules from monkey.pf into vm ....
@0 pass log all flags S/SA

@0 pass log all flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 29560 State Creations: 0     ]

lenap# sas
@0 pass log all flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 41589 State Creations: 0     ]
Generate some traffic with a ping and display the stats with [fle]sas[/file]:
Code:
lenap# ping -c2 192.168.222.10
PING 192.168.222.10 (192.168.222.10): 56 data bytes
64 bytes from 192.168.222.10: icmp_seq=0 ttl=255 time=0.530 ms
64 bytes from 192.168.222.10: icmp_seq=1 ttl=255 time=0.471 ms

--- 192.168.222.10 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.471/0.501/0.530/0.030 ms

lenap# sa
@0 pass log all flags S/SA
  [ Evaluations: 1         Packets: 4         Bytes: 336         States: 1     ]
  [ Inserted: uid 0 pid 41589 State Creations: 1     ]
The statistics after a DNS lookup:
Code:
lenap# dig www.openbsd.org

; <<>> dig 9.10.8-P1 <<>> www.openbsd.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.openbsd.org.               IN      A

;; ANSWER SECTION:
www.openbsd.org.        10997   IN      A       199.185.178.80

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul 10 02:52:38 CEST 2022
;; MSG SIZE  rcvd: 60

lenap# sa
@0 pass log all flags S/SA
  [ Evaluations: 2         Packets: 6         Bytes: 496         States: 1     ]
  [ Inserted: uid 0 pid 41589 State Creations: 2     ]
lenap#
The file anchor_load.function:
Code:
ANCHOR=vm 
export ANCHOR
APF="monkey.pf"
export APF

cat <<END

(1) Function 'ra' first flushes the rules, then loads a rule set in a pf anchor.
    Variables used:

       Exported shell variable ANCHOR           : $ANCHOR
       The name of the pf anchor in your rule set

       Exported shell variable APF (Anchor PF)  : $APF
       File name of the pf ruleset to be loaded into the anchor

    To change these variables to another value:

     # ANCHOR=wireguard 
     # APF=wg_anchor1

(2) Function 'fa' flushes (deletes) the anchor

(3) Function 'sas' shows the anchor rules with statistics

END

ra() {
   FILE="$APF"
   if [ -e $FILE ] ; then 
       echo Flushing anchor $ANCHOR ....
       pfctl -a $ANCHOR -F all
       echo Loading rules from $FILE into $ANCHOR ....
       pfctl -a $ANCHOR -vvf $FILE
       echo 
       pfctl -a $ANCHOR -vvsr
       echo
   else
       echo "File $FILE does not exist! ..."
       return 10 
   fi
}

fa() {
       echo Flushing anchor $ANCHOR ....
       pfctl -a $ANCHOR -F all
}

# 'sa' is a program to show accounting stats, so we use 'sas'
 
sas() {
  #echo Showing stats for anchor $ANCHOR
  pfctl -a $ANCHOR -vvsr  
}
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 10th July 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The file for downloading. To remove the .txt suffix
Code:
$ mv Downloads/anchor_load.function.txt  anchor_load.function
Attached Files
File Type: txt anchor_load.function.txt (1.1 KB, 16 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
pf.conf; pf anchor, shell dot command, shell source command

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Link library for kernel functions? egassemcinatas OpenBSD General 2 22nd November 2015 06:11 PM
Triggering pf.conf anchor load based on ip detected daemonbak OpenBSD Security 10 27th July 2015 10:43 PM
Simplifying these 3 NAT pf.conf rules into one? daemonbak OpenBSD Security 0 4th July 2015 07:17 PM
ftp proxy and pf.conf rules (From The Book of PF, 2nd Ed) kbeaucha OpenBSD Installation and Upgrading 3 16th February 2012 03:10 PM
Google releases open source code for hash functions J65nko News 0 12th April 2011 07:33 PM


All times are GMT. The time now is 05:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick