|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|||
Shell functions to (re)load and view pf.conf rules in an anchor
Three short easy to type commands that help in debugging anchor rules for the OpenBSD pf packet filter.
To load or source these functions into your shell use the "." dot command Code:
# . ./anchor_load.function Code:
(1) Function 'ra' first flushes the rules, then loads a rule set in a pf anchor. Variables used: Exported shell variable ANCHOR : vm The name of the pf anchor in your rule set Exported shell variable APF (Anchor PF) : monkey.pf File name of the pf ruleset to be loaded into the anchor To change these variables to another value: # ANCHOR=wireguard # APF=wg_anchor1 (2) Function 'fa' flushes (deletes) the anchor (3) Function 'sas' shows the anchor rules with statistics Code:
lenap# echo $ANCHOR vm lenap# echo $APF monkey.pf lenap# cat monkey.pf pass log all lenap# ra Flushing anchor vm .... 0 tables deleted. rules cleared Loading rules from monkey.pf into vm .... @0 pass log all flags S/SA @0 pass log all flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 29560 State Creations: 0 ] lenap# sas @0 pass log all flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 41589 State Creations: 0 ] Code:
lenap# ping -c2 192.168.222.10 PING 192.168.222.10 (192.168.222.10): 56 data bytes 64 bytes from 192.168.222.10: icmp_seq=0 ttl=255 time=0.530 ms 64 bytes from 192.168.222.10: icmp_seq=1 ttl=255 time=0.471 ms --- 192.168.222.10 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.471/0.501/0.530/0.030 ms lenap# sa @0 pass log all flags S/SA [ Evaluations: 1 Packets: 4 Bytes: 336 States: 1 ] [ Inserted: uid 0 pid 41589 State Creations: 1 ] Code:
lenap# dig www.openbsd.org ; <<>> dig 9.10.8-P1 <<>> www.openbsd.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22152 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.openbsd.org. IN A ;; ANSWER SECTION: www.openbsd.org. 10997 IN A 199.185.178.80 ;; Query time: 9 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Jul 10 02:52:38 CEST 2022 ;; MSG SIZE rcvd: 60 lenap# sa @0 pass log all flags S/SA [ Evaluations: 2 Packets: 6 Bytes: 496 States: 1 ] [ Inserted: uid 0 pid 41589 State Creations: 2 ] lenap# Code:
ANCHOR=vm export ANCHOR APF="monkey.pf" export APF cat <<END (1) Function 'ra' first flushes the rules, then loads a rule set in a pf anchor. Variables used: Exported shell variable ANCHOR : $ANCHOR The name of the pf anchor in your rule set Exported shell variable APF (Anchor PF) : $APF File name of the pf ruleset to be loaded into the anchor To change these variables to another value: # ANCHOR=wireguard # APF=wg_anchor1 (2) Function 'fa' flushes (deletes) the anchor (3) Function 'sas' shows the anchor rules with statistics END ra() { FILE="$APF" if [ -e $FILE ] ; then echo Flushing anchor $ANCHOR .... pfctl -a $ANCHOR -F all echo Loading rules from $FILE into $ANCHOR .... pfctl -a $ANCHOR -vvf $FILE echo pfctl -a $ANCHOR -vvsr echo else echo "File $FILE does not exist! ..." return 10 fi } fa() { echo Flushing anchor $ANCHOR .... pfctl -a $ANCHOR -F all } # 'sa' is a program to show accounting stats, so we use 'sas' sas() { #echo Showing stats for anchor $ANCHOR pfctl -a $ANCHOR -vvsr }
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
The file for downloading. To remove the .txt suffix
Code:
$ mv Downloads/anchor_load.function.txt anchor_load.function
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
pf.conf; pf anchor, shell dot command, shell source command |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Link library for kernel functions? | egassemcinatas | OpenBSD General | 2 | 22nd November 2015 06:11 PM |
Triggering pf.conf anchor load based on ip detected | daemonbak | OpenBSD Security | 10 | 27th July 2015 10:43 PM |
Simplifying these 3 NAT pf.conf rules into one? | daemonbak | OpenBSD Security | 0 | 4th July 2015 07:17 PM |
ftp proxy and pf.conf rules (From The Book of PF, 2nd Ed) | kbeaucha | OpenBSD Installation and Upgrading | 3 | 16th February 2012 03:10 PM |
Google releases open source code for hash functions | J65nko | News | 0 | 12th April 2011 07:33 PM |