Three short easy to type commands that help in debugging anchor rules for the OpenBSD pf packet filter.
To load or source these functions into your shell use the "."
dot command
Code:
# . ./anchor_load.function
The help message that is displayed:
Code:
(1) Function 'ra' first flushes the rules, then loads a rule set in a pf anchor.
Variables used:
Exported shell variable ANCHOR : vm
The name of the pf anchor in your rule set
Exported shell variable APF (Anchor PF) : monkey.pf
File name of the pf ruleset to be loaded into the anchor
To change these variables to another value:
# ANCHOR=wireguard
# APF=wg_anchor1
(2) Function 'fa' flushes (deletes) the anchor
(3) Function 'sas' shows the anchor rules with statistics
Showing these functions in action:
Code:
lenap# echo $ANCHOR
vm
lenap# echo $APF
monkey.pf
lenap# cat monkey.pf
pass log all
lenap# ra
Flushing anchor vm ....
0 tables deleted.
rules cleared
Loading rules from monkey.pf into vm ....
@0 pass log all flags S/SA
@0 pass log all flags S/SA
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 29560 State Creations: 0 ]
lenap# sas
@0 pass log all flags S/SA
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41589 State Creations: 0 ]
Generate some traffic with a ping and display the stats with [fle]sas[/file]:
Code:
lenap# ping -c2 192.168.222.10
PING 192.168.222.10 (192.168.222.10): 56 data bytes
64 bytes from 192.168.222.10: icmp_seq=0 ttl=255 time=0.530 ms
64 bytes from 192.168.222.10: icmp_seq=1 ttl=255 time=0.471 ms
--- 192.168.222.10 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.471/0.501/0.530/0.030 ms
lenap# sa
@0 pass log all flags S/SA
[ Evaluations: 1 Packets: 4 Bytes: 336 States: 1 ]
[ Inserted: uid 0 pid 41589 State Creations: 1 ]
The statistics after a DNS lookup:
Code:
lenap# dig www.openbsd.org
; <<>> dig 9.10.8-P1 <<>> www.openbsd.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.openbsd.org. IN A
;; ANSWER SECTION:
www.openbsd.org. 10997 IN A 199.185.178.80
;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul 10 02:52:38 CEST 2022
;; MSG SIZE rcvd: 60
lenap# sa
@0 pass log all flags S/SA
[ Evaluations: 2 Packets: 6 Bytes: 496 States: 1 ]
[ Inserted: uid 0 pid 41589 State Creations: 2 ]
lenap#
The file
anchor_load.function:
Code:
ANCHOR=vm
export ANCHOR
APF="monkey.pf"
export APF
cat <<END
(1) Function 'ra' first flushes the rules, then loads a rule set in a pf anchor.
Variables used:
Exported shell variable ANCHOR : $ANCHOR
The name of the pf anchor in your rule set
Exported shell variable APF (Anchor PF) : $APF
File name of the pf ruleset to be loaded into the anchor
To change these variables to another value:
# ANCHOR=wireguard
# APF=wg_anchor1
(2) Function 'fa' flushes (deletes) the anchor
(3) Function 'sas' shows the anchor rules with statistics
END
ra() {
FILE="$APF"
if [ -e $FILE ] ; then
echo Flushing anchor $ANCHOR ....
pfctl -a $ANCHOR -F all
echo Loading rules from $FILE into $ANCHOR ....
pfctl -a $ANCHOR -vvf $FILE
echo
pfctl -a $ANCHOR -vvsr
echo
else
echo "File $FILE does not exist! ..."
return 10
fi
}
fa() {
echo Flushing anchor $ANCHOR ....
pfctl -a $ANCHOR -F all
}
# 'sa' is a program to show accounting stats, so we use 'sas'
sas() {
#echo Showing stats for anchor $ANCHOR
pfctl -a $ANCHOR -vvsr
}