automatic tables / self statement in pf.conf
mike tancsa
mike at sentex.net
Wed Jan 22 13:39:36 UTC 2020
On 1/22/2020 5:13 AM, Miroslav Lachman wrote:
> mike tancsa wrote on 2020/01/20 15:37:
>> Also, is there a better way to monitor pf rule changes ? I dont see
>> any mention in FreeBSD audit ?
>
> Monitoring of PF rules is kind of hard and not just because of
> automatic tables. (automatic tables are created by optimizer not only
> for self rules, optimizer can be disabled by -o none)
>
Thanks for these tips! The other thing I would like to monitor is just
if someone does something like pfctl -f
/tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf. Ideally, an audit
event log would be fired that rules have been re-loaded. I think
TrustedBSD has such extensions
https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel
More information about the freebsd-pf
mailing list