automatic tables / self statement in pf.conf
Miroslav Lachman
000.fbsd at quip.cz
Wed Jan 22 14:04:13 UTC 2020
mike tancsa wrote on 2020/01/22 14:39:
> On 1/22/2020 5:13 AM, Miroslav Lachman wrote:
>> mike tancsa wrote on 2020/01/20 15:37:
>>> Also, is there a better way to monitor pf rule changes ? I dont see
>>> any mention in FreeBSD audit ?
>>
>> Monitoring of PF rules is kind of hard and not just because of
>> automatic tables. (automatic tables are created by optimizer not only
>> for self rules, optimizer can be disabled by -o none)
>>
> Thanks for these tips! The other thing I would like to monitor is just
> if someone does something like pfctl -f
> /tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf. Ideally, an audit
> event log would be fired that rules have been re-loaded. I think
> TrustedBSD has such extensions
>
> https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel
My main purpose to monitor PF rules is to be notified when some
configuration accident happened. Once in the past I was surprised by
running machine for a week or two with empty rules. Or running with some
modified (not saved in pf.conf) rules until reboot and then half a year
later something broke after reboot.
Now I am notified about all this events. I don't need audit right now
but it is very interesting topic. TrustedBSD module looks interesting.
Thank you for pointing me on it!
Kind regards
Miroslav Lachman
More information about the freebsd-pf
mailing list