From owner-freebsd-pf@freebsd.org Mon Jan 20 14:37:36 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DCBFF1FC764 for ; Mon, 20 Jan 2020 14:37:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 481Z5D0ZyRz4bQp for ; Mon, 20 Jan 2020 14:37:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:ec77:1766:3b58:f7b] ([IPv6:2607:f3e0:0:4:ec77:1766:3b58:f7b]) by pyroxene2a.sentex.ca (8.15.2/8.15.2) with ESMTPS id 00KEbZQI014568 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Mon, 20 Jan 2020 09:37:35 -0500 (EST) (envelope-from mike@sentex.net) To: "freebsd-pf@freebsd.org" From: mike tancsa Subject: automatic tables / self statement in pf.conf Autocrypt: addr=mike@sentex.net; keydata= mQENBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAG0HW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+iQFUBBMBCAA+FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAlywzOYCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ eVOEFl5WrMhnPAf7Bf+ola0V9t4i8rwCMGvzkssGaxY/5zNSZO9BgSgfN0WzgmBEOy/3R4km Yn5KH94NltJYAAE5hqkFmAwK6psOqAR9cxHrRfU+gV2KO8pCDc6K/htkQcd/mclJYpCHp6Eq EVJOiAxcNaYuHZkeMdXDuvvI5Rk82VHk84BGgxIqIrhLlkguoPbXOOa+8c/Mpb1sRAGZEOuX EzKNC49+GS9gKW6ISbanyPsGEcFyP7GKMzcHBPf3cPrewZQZ6gBoNscasL6IJeAQDqzQAxbU GjO0qBSMRgnLXK7+DJlxrYdHGXqNbV6AYsmHJ6c2WWWiuRviFBqXinlgJ2FnYebZPAfWibkB DQRcsMzkAQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4 axtKRSG1t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1 qzAJweEtRdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6c Lm0EiHPOl5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5 o9KKu4O7gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQAB iQE8BBgBCAAmFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAlywzOQCGwwFCQHhM4AACgkQeVOE Fl5WrMhmjQf/dBCjAVn1J0GzSsHiLvSAQz1cchbdy8LD0Tnpzjgp5KLU7sNojbI8vqt4yKAi cayI88j8+xxNXPMWM4pHELuUuVHS5XTpHa/wwulUtI5w/zyKlUDsIvqTPZLUEwH7DfNBueVM WyNaIjV2kxSmM8rNMC+RkgyfbjGLCkmWsMRVuLIUYpl5D9WHmenUbiErlKU2KvEEXEg/aLKq 3m/AdM9RAYsP9O4l+sAZEfyYoNJzDhTZMzn/9Q0uFPLK9smDQh4WBTFaApveVJPHRKmHPoNF Xxj+yScYdQ4SKH34WnhNSELvnZQ3ulH5tpASmm0w+GxfZqSc8+QCwoKtBRDUxoE56A== Message-ID: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> Date: Mon, 20 Jan 2020 09:37:36 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 481Z5D0ZyRz4bQp X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.71 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[sentex.net]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; TO_DN_EQ_ADDR_ALL(0.00)[]; IP_SCORE(-1.71)[ipnet: 2607:f3e0::/32(-4.93), asn: 11647(-3.54), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2020 14:37:36 -0000 I have a process that runs every few min looking to see if the pf rules changed on some of our firewalls.  On one customer unit, we have a "self" statement and the script detected a change this morning.  The rule reads block log quick from to self block log quick from self to but when shown it looks like block drop log quick inet from to <__automatic_32a5c00f_0> block drop log quick inet from <__automatic_32a5c00f_1> to I guess 'self' is treated like a table ? The diff that got flagged looked like -block drop log quick inet from to <__automatic_786310c4_0> -block drop log quick inet from <__automatic_786310c4_1> to +block drop log quick inet from to <__automatic_32a5c00f_0> +block drop log quick inet from <__automatic_32a5c00f_1> to What would trigger the table name to change like that ? Also, is there a better way to monitor pf rule changes ? I dont see any mention in FreeBSD audit ? ---Mike From owner-freebsd-pf@freebsd.org Mon Jan 20 15:16:49 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5102C1FD841 for ; Mon, 20 Jan 2020 15:16:49 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender4-of-o59.zoho.com (sender4-of-o59.zoho.com [136.143.188.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 481ZyS1dgyz4dSw for ; Mon, 20 Jan 2020 15:16:47 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr [129.20.185.33]) by mx.zohomail.com with SMTPS id 1579533399975627.2012656076141; Mon, 20 Jan 2020 07:16:39 -0800 (PST) Date: Mon, 20 Jan 2020 16:16:29 +0100 From: Patrick Lamaiziere To: mike tancsa Cc: "freebsd-pf@freebsd.org" Subject: Re: automatic tables / self statement in pf.conf Message-ID: <20200120161629.7f5725d9@mr185033.univ-rennes1.fr> In-Reply-To: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Rspamd-Queue-Id: 481ZyS1dgyz4dSw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy when checking 136.143.188.59) smtp.mailfrom=patfbsd@davenulle.org X-Spamd-Result: default: False [-2.69 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.993,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[davenulle.org]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[59.188.143.136.list.dnswl.org : 127.0.15.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/24, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-1.60)[ipnet: 136.143.188.0/24(-4.72), asn: 2639(-3.21), country: US(-0.05)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2020 15:16:49 -0000 On Mon, 20 Jan 2020 09:37:36 -0500 mike tancsa wrote: > I have a process that runs every few min looking to see if the pf > rules changed on some of our firewalls.=C2=A0 On one customer unit, we > have a "self" statement and the script detected a change this > morning.=C2=A0 The rule reads >=20 > block log quick from to self > block log quick from self to >=20 > but when shown it looks like >=20 > block drop log quick inet from to <__automatic_32a5c00f_0> > block drop log quick inet from <__automatic_32a5c00f_1> to >=20 > I guess 'self' is treated like a table ? Yes. > The diff that got flagged > looked like >=20 > -block drop log quick inet from to <__automatic_786310c4_0> > -block drop log quick inet from <__automatic_786310c4_1> to > +block drop log quick inet from to <__automatic_32a5c00f_0> > +block drop log quick inet from <__automatic_32a5c00f_1> to >=20 > What would trigger the table name to change like that ?=09 I think that names of automatic tables are more or less random. I've got two firewalls using the same ruleset (pf.conf) and the name of the automatic table for self is not the same on both. I thing a simple pfctl -f will change the name. > Also, is there a better way to monitor pf rule changes ? I dont see > any mention in FreeBSD audit ? I don't know, may be the checksum changes when the ruleset changes ? # pfctl -vvvv -si No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 11 days 05:32:26 Debug: Urgent Hostid: 0x19478aad =3D=3D=3D> Checksum: 0x964f5ae9bc221aa840ba7323cb649e32 Interface Stats for all IPv4 IPv6 ... Regards, From owner-freebsd-pf@freebsd.org Mon Jan 20 17:10:57 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D63912210B2 for ; Mon, 20 Jan 2020 17:10:57 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 481dV90VYmz4kbx for ; Mon, 20 Jan 2020 17:10:57 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:ec77:1766:3b58:f7b] ([IPv6:2607:f3e0:0:4:ec77:1766:3b58:f7b]) by pyroxene2a.sentex.ca (8.15.2/8.15.2) with ESMTPS id 00KHAtR9024040 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Mon, 20 Jan 2020 12:10:55 -0500 (EST) (envelope-from mike@sentex.net) Subject: Re: automatic tables / self statement in pf.conf To: Patrick Lamaiziere Cc: "freebsd-pf@freebsd.org" References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> <20200120161629.7f5725d9@mr185033.univ-rennes1.fr> From: mike tancsa Autocrypt: addr=mike@sentex.net; keydata= mQENBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAG0HW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+iQFUBBMBCAA+FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAlywzOYCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ eVOEFl5WrMhnPAf7Bf+ola0V9t4i8rwCMGvzkssGaxY/5zNSZO9BgSgfN0WzgmBEOy/3R4km Yn5KH94NltJYAAE5hqkFmAwK6psOqAR9cxHrRfU+gV2KO8pCDc6K/htkQcd/mclJYpCHp6Eq EVJOiAxcNaYuHZkeMdXDuvvI5Rk82VHk84BGgxIqIrhLlkguoPbXOOa+8c/Mpb1sRAGZEOuX EzKNC49+GS9gKW6ISbanyPsGEcFyP7GKMzcHBPf3cPrewZQZ6gBoNscasL6IJeAQDqzQAxbU GjO0qBSMRgnLXK7+DJlxrYdHGXqNbV6AYsmHJ6c2WWWiuRviFBqXinlgJ2FnYebZPAfWibkB DQRcsMzkAQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4 axtKRSG1t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1 qzAJweEtRdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6c Lm0EiHPOl5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5 o9KKu4O7gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQAB iQE8BBgBCAAmFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAlywzOQCGwwFCQHhM4AACgkQeVOE Fl5WrMhmjQf/dBCjAVn1J0GzSsHiLvSAQz1cchbdy8LD0Tnpzjgp5KLU7sNojbI8vqt4yKAi cayI88j8+xxNXPMWM4pHELuUuVHS5XTpHa/wwulUtI5w/zyKlUDsIvqTPZLUEwH7DfNBueVM WyNaIjV2kxSmM8rNMC+RkgyfbjGLCkmWsMRVuLIUYpl5D9WHmenUbiErlKU2KvEEXEg/aLKq 3m/AdM9RAYsP9O4l+sAZEfyYoNJzDhTZMzn/9Q0uFPLK9smDQh4WBTFaApveVJPHRKmHPoNF Xxj+yScYdQ4SKH34WnhNSELvnZQ3ulH5tpASmm0w+GxfZqSc8+QCwoKtBRDUxoE56A== Message-ID: <5a1318f5-663a-3c83-34bb-330317c26cec@sentex.net> Date: Mon, 20 Jan 2020 12:10:55 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200120161629.7f5725d9@mr185033.univ-rennes1.fr> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 481dV90VYmz4kbx X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.70 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; NEURAL_HAM_LONG(-0.99)[-0.992,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-1.71)[ipnet: 2607:f3e0::/32(-4.93), asn: 11647(-3.54), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2020 17:10:57 -0000 On 1/20/2020 10:16 AM, Patrick Lamaiziere wrote: > What would trigger the table name to change like that ? > I think that names of automatic tables are more or less random. I've > got two firewalls using the same ruleset (pf.conf) and the name > of the automatic table for self is not the same on both. > > I thing a simple pfctl -f will change the name. Yes, looks like it. >> Also, is there a better way to monitor pf rule changes ? I dont see >> any mention in FreeBSD audit ? > I don't know, may be the checksum changes when the ruleset changes ? it does, but if someone added a rule and then removed it, the checksum would be the same it seems and there would be no record of the addition and deletion of the rule     ---Mike > > # pfctl -vvvv -si > No ALTQ support in kernel > ALTQ related functions disabled > Status: Enabled for 11 days 05:32:26 Debug: Urgent > > Hostid: 0x19478aad > ===> Checksum: 0x964f5ae9bc221aa840ba7323cb649e32 > > Interface Stats for all IPv4 IPv6 > ... > > Regards, > > From owner-freebsd-pf@freebsd.org Wed Jan 22 10:13:30 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7AA923414F for ; Wed, 22 Jan 2020 10:13:30 +0000 (UTC) (envelope-from SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 482h7Y4CLSz3Mtj for ; Wed, 22 Jan 2020 10:13:29 +0000 (UTC) (envelope-from SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id A01C528432; Wed, 22 Jan 2020 11:13:26 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 2D2862842B; Wed, 22 Jan 2020 11:13:25 +0100 (CET) Subject: Re: automatic tables / self statement in pf.conf To: mike tancsa , "freebsd-pf@freebsd.org" References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz> Date: Wed, 22 Jan 2020 11:13:25 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 482h7Y4CLSz3Mtj X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [4.06 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(0.87)[ip: (0.36), ipnet: 94.124.104.0/21(0.18), asn: 42000(3.71), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.996,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(1.00)[1.000,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2020 10:13:30 -0000 mike tancsa wrote on 2020/01/20 15:37: > I have a process that runs every few min looking to see if the pf rules > changed on some of our firewalls.  On one customer unit, we have a > "self" statement and the script detected a change this morning.  The > rule reads > > block log quick from to self > block log quick from self to > > but when shown it looks like > > block drop log quick inet from to <__automatic_32a5c00f_0> > block drop log quick inet from <__automatic_32a5c00f_1> to > > I guess 'self' is treated like a table ? The diff that got flagged > looked like > > -block drop log quick inet from to <__automatic_786310c4_0> > -block drop log quick inet from <__automatic_786310c4_1> to > +block drop log quick inet from to <__automatic_32a5c00f_0> > +block drop log quick inet from <__automatic_32a5c00f_1> to > > What would trigger the table name to change like that ? > > Also, is there a better way to monitor pf rule changes ? I dont see any mention in FreeBSD audit ? Monitoring of PF rules is kind of hard and not just because of automatic tables. (automatic tables are created by optimizer not only for self rules, optimizer can be disabled by -o none) We are monitoring changes between production rules in pf.conf, testing temporary rules in pf.conf.tmp and live running rules. pfctl -s all prints scrub / NAT / rules in different order than for pfctl -nvf /etc/pf.conf I chosen to replace random automatic tables names with sequence numbers so they are still the same. This is the part of our script solving this issue. ==========snippet=========== ## this ugly awk hack is needed because PF rules optimizer creates __automatic_ ## tables when machine has many IPs and similar rules for them ## but tables are named randomly / different for live rules and pfct -nvf ## live: ## block drop in quick inet from <__automatic_fc1015f3_0> to any ## file parser ## block drop in quick inet from <__automatic_0> to any ## ## awk will replace automatic table name with own incremental sequence pfctl -nvf /etc/pf.conf | egrep '^(nat|rdr|scrub|block|pass)' | awk '{ if ( $0 ~ /<__automatic_[^>]*>/ ) { ac=ac+1; c=ac-1; gsub(/__automatic_[^>]*/, "__automatic_"c); } { print $0 } }' > $tmp_prod pfctl -nvf /etc/pf.conf.tmp | egrep '^(nat|rdr|scrub|block|pass)' | awk '{ if ( $0 ~ /<__automatic_[^>]*>/ ) { ac=ac+1; c=ac-1; gsub(/__automatic_[^>]*/, "__automatic_"c); } { print $0 } }' > $tmp_temp ## live rules must be re-ordered because pfctl prints scrub with filter rules ## together for live rules, but scrub / NAT / filter rules for check from file _pf_live=$(pfctl -s all | egrep '^(nat|rdr|scrub|block|pass)' | awk '{ if ( $0 ~ /<__automatic_[^>]*>/ ) { ac=ac+1; c=ac-1; gsub(/__automatic_[^>]*/, "__automatic_"c); } { print $0 } }') _live_scrub=$(echo "$_pf_live" | grep '^scrub') _live_nat=$(echo "$_pf_live" | egrep '^(nat|rdr)') _live_rules=$(echo "$_pf_live" | egrep '^(block|pass)') ## create empty file : > $tmp_live if [ -n "$_live_scrub" ]; then echo "$_live_scrub" >> $tmp_live fi if [ -n "$_live_nat" ]; then echo "$_live_nat" >> $tmp_live fi if [ -n "$_live_rules" ]; then echo "$_live_rules" >> $tmp_live fi ==========snippet=========== Then we can check for differences between all created files + last known live ruleset from previous run. Kind regards Miroslav Lachman From owner-freebsd-pf@freebsd.org Wed Jan 22 13:39:36 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 370151F0C23 for ; Wed, 22 Jan 2020 13:39:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 482mjM3mQXz43WD for ; Wed, 22 Jan 2020 13:39:35 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:1952:6d91:3c71:c81c] ([IPv6:2607:f3e0:0:4:1952:6d91:3c71:c81c]) by pyroxene2a.sentex.ca (8.15.2/8.15.2) with ESMTPS id 00MDdY9k001964 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 08:39:34 -0500 (EST) (envelope-from mike@sentex.net) Subject: Re: automatic tables / self statement in pf.conf To: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-pf@freebsd.org" References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz> From: mike tancsa Autocrypt: addr=mike@sentex.net; keydata= mQENBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAG0HW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+iQFUBBMBCAA+FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAlywzOYCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ eVOEFl5WrMhnPAf7Bf+ola0V9t4i8rwCMGvzkssGaxY/5zNSZO9BgSgfN0WzgmBEOy/3R4km Yn5KH94NltJYAAE5hqkFmAwK6psOqAR9cxHrRfU+gV2KO8pCDc6K/htkQcd/mclJYpCHp6Eq EVJOiAxcNaYuHZkeMdXDuvvI5Rk82VHk84BGgxIqIrhLlkguoPbXOOa+8c/Mpb1sRAGZEOuX EzKNC49+GS9gKW6ISbanyPsGEcFyP7GKMzcHBPf3cPrewZQZ6gBoNscasL6IJeAQDqzQAxbU GjO0qBSMRgnLXK7+DJlxrYdHGXqNbV6AYsmHJ6c2WWWiuRviFBqXinlgJ2FnYebZPAfWibkB DQRcsMzkAQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4 axtKRSG1t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1 qzAJweEtRdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6c Lm0EiHPOl5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5 o9KKu4O7gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQAB iQE8BBgBCAAmFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAlywzOQCGwwFCQHhM4AACgkQeVOE Fl5WrMhmjQf/dBCjAVn1J0GzSsHiLvSAQz1cchbdy8LD0Tnpzjgp5KLU7sNojbI8vqt4yKAi cayI88j8+xxNXPMWM4pHELuUuVHS5XTpHa/wwulUtI5w/zyKlUDsIvqTPZLUEwH7DfNBueVM WyNaIjV2kxSmM8rNMC+RkgyfbjGLCkmWsMRVuLIUYpl5D9WHmenUbiErlKU2KvEEXEg/aLKq 3m/AdM9RAYsP9O4l+sAZEfyYoNJzDhTZMzn/9Q0uFPLK9smDQh4WBTFaApveVJPHRKmHPoNF Xxj+yScYdQ4SKH34WnhNSELvnZQ3ulH5tpASmm0w+GxfZqSc8+QCwoKtBRDUxoE56A== Message-ID: <43456d07-4c64-9e4e-a69e-3a64ebf08bf7@sentex.net> Date: Wed, 22 Jan 2020 08:39:34 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 482mjM3mQXz43WD X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.71 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; DMARC_NA(0.00)[sentex.net]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-1.71)[ipnet: 2607:f3e0::/32(-4.93), asn: 11647(-3.54), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2020 13:39:36 -0000 On 1/22/2020 5:13 AM, Miroslav Lachman wrote: > mike tancsa wrote on 2020/01/20 15:37: >> Also, is there a better way to monitor pf rule changes ?  I dont see >> any mention in FreeBSD audit ? > > Monitoring of PF rules is kind of hard and not just because of > automatic tables. (automatic tables are created by optimizer not only > for self rules, optimizer can be disabled by -o none) > Thanks for these tips!  The other thing I would like to monitor is just if someone does something like pfctl -f /tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf.  Ideally, an audit event log would be fired that rules have been re-loaded.  I think TrustedBSD has such extensions https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel From owner-freebsd-pf@freebsd.org Wed Jan 22 14:04:13 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8C7821F153D for ; Wed, 22 Jan 2020 14:04:13 +0000 (UTC) (envelope-from SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 482nFm5rlDz44hf for ; Wed, 22 Jan 2020 14:04:12 +0000 (UTC) (envelope-from SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 27AEC28416; Wed, 22 Jan 2020 15:04:11 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id F0FA528428; Wed, 22 Jan 2020 15:04:09 +0100 (CET) Subject: Re: automatic tables / self statement in pf.conf To: mike tancsa , "freebsd-pf@freebsd.org" References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz> <43456d07-4c64-9e4e-a69e-3a64ebf08bf7@sentex.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Wed, 22 Jan 2020 15:04:10 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <43456d07-4c64-9e4e-a69e-3a64ebf08bf7@sentex.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 482nFm5rlDz44hf X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [4.06 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(0.87)[ip: (0.35), ipnet: 94.124.104.0/21(0.18), asn: 42000(3.71), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.997,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(1.00)[1.000,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=mEKQ=3L=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2020 14:04:13 -0000 mike tancsa wrote on 2020/01/22 14:39: > On 1/22/2020 5:13 AM, Miroslav Lachman wrote: >> mike tancsa wrote on 2020/01/20 15:37: >>> Also, is there a better way to monitor pf rule changes ?  I dont see >>> any mention in FreeBSD audit ? >> >> Monitoring of PF rules is kind of hard and not just because of >> automatic tables. (automatic tables are created by optimizer not only >> for self rules, optimizer can be disabled by -o none) >> > Thanks for these tips!  The other thing I would like to monitor is just > if someone does something like pfctl -f > /tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf.  Ideally, an audit > event log would be fired that rules have been re-loaded.  I think > TrustedBSD has such extensions > > https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel My main purpose to monitor PF rules is to be notified when some configuration accident happened. Once in the past I was surprised by running machine for a week or two with empty rules. Or running with some modified (not saved in pf.conf) rules until reboot and then half a year later something broke after reboot. Now I am notified about all this events. I don't need audit right now but it is very interesting topic. TrustedBSD module looks interesting. Thank you for pointing me on it! Kind regards Miroslav Lachman