Date: Wed, 22 Jan 2020 08:39:34 -0500 From: mike tancsa <mike@sentex.net> To: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: automatic tables / self statement in pf.conf Message-ID: <43456d07-4c64-9e4e-a69e-3a64ebf08bf7@sentex.net> In-Reply-To: <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz> References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/22/2020 5:13 AM, Miroslav Lachman wrote: > mike tancsa wrote on 2020/01/20 15:37: >> Also, is there a better way to monitor pf rule changes ? I dont see >> any mention in FreeBSD audit ? > > Monitoring of PF rules is kind of hard and not just because of > automatic tables. (automatic tables are created by optimizer not only > for self rules, optimizer can be disabled by -o none) > Thanks for these tips! The other thing I would like to monitor is just if someone does something like pfctl -f /tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf. Ideally, an audit event log would be fired that rules have been re-loaded. I think TrustedBSD has such extensions https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43456d07-4c64-9e4e-a69e-3a64ebf08bf7>