Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Jan 2020 15:04:10 +0100
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        mike tancsa <mike@sentex.net>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: automatic tables / self statement in pf.conf
Message-ID:  <c1ec20d8-7e13-6a47-3d33-d8d11ae38d44@quip.cz>
In-Reply-To: <43456d07-4c64-9e4e-a69e-3a64ebf08bf7@sentex.net>
References:  <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> <58a84a53-5efe-c753-2d12-a5b3c56afcaa@quip.cz> <43456d07-4c64-9e4e-a69e-3a64ebf08bf7@sentex.net>

next in thread | previous in thread | raw e-mail | index | archive | help
mike tancsa wrote on 2020/01/22 14:39:
> On 1/22/2020 5:13 AM, Miroslav Lachman wrote:
>> mike tancsa wrote on 2020/01/20 15:37:
>>> Also, is there a better way to monitor pf rule changes ?  I dont see
>>> any mention in FreeBSD audit ?
>>
>> Monitoring of PF rules is kind of hard and not just because of
>> automatic tables. (automatic tables are created by optimizer not only
>> for self rules, optimizer can be disabled by -o none)
>>
> Thanks for these tips!  The other thing I would like to monitor is just
> if someone does something like pfctl -f
> /tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf.  Ideally, an audit
> event log would be fired that rules have been re-loaded.  I think
> TrustedBSD has such extensions
> 
> https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel

My main purpose to monitor PF rules is to be notified when some 
configuration accident happened. Once in the past I was surprised by 
running machine for a week or two with empty rules. Or running with some 
modified (not saved in pf.conf) rules until reboot and then half a year 
later something broke after reboot.
Now I am notified about all this events. I don't need audit right now 
but it is very interesting topic. TrustedBSD module looks interesting.

Thank you for pointing me on it!

Kind regards
Miroslav Lachman



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c1ec20d8-7e13-6a47-3d33-d8d11ae38d44>