From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 23:50:17 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B7C1065696 for ; Tue, 22 Dec 2009 23:50:17 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id A5FFE8FC12 for ; Tue, 22 Dec 2009 23:50:17 +0000 (UTC) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 72ACB19E045 for ; Wed, 23 Dec 2009 00:50:16 +0100 (CET) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 579D319E044 for ; Wed, 23 Dec 2009 00:50:10 +0100 (CET) Message-ID: <4B315B31.7050902@quip.cz> Date: Wed, 23 Dec 2009 00:50:09 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.6) Gecko/20091206 SeaMonkey/2.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: How to export / save and compare PF rule sets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 23:50:18 -0000 Hi, I am planning to write script to check PF rulesets and send e-mail / SMS alerts on changes. I am planning to check rules periodically, on boot and save "current" state on shutdown. Compare rules on boot with state on shutdown and report differences, and check differences of current rules compared to well known (read only / signed file used at boot) The main problem is, that pfctl is not consistent in output when used on current (live) ruleset and on file. example: # pfctl -s a | egrep '^(binat|nat|rdr|scrub|block|pass) .*' > /var/tmp/pf_rules.current # pfctl -nvf /etc/pf.conf | egrep '^(binat|nat|rdr|scrub|block|pass) .*' > /var/tmp/pf_rules.boot # diff /var/tmp/pf_rules.boot /var/tmp/pf_rules.current 1,2d0 < scrub in on bge1 all fragment reassemble < scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble 6a5,6 > scrub in on bge1 all fragment reassemble > scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble As you can see, the scrub is placed to a different lines, but only if there are nat/rdr defined. scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr in case of "pfctl -nvf /etc/pf.conf" Is there any other way how can I export live and saved rules in the same format and the same order, ready to comparission by diff? Or can it be fixed in pfctl sources and commited? This is on FreeBSD 7.2-RELEASE GENERIC amd64. Can somebody test it on 8.0 or CURRENT? Thanks for any suggestions Miroslav Lachman