Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Jan 2020 16:16:29 +0100
From:      Patrick Lamaiziere <patfbsd@davenulle.org>
To:        mike tancsa <mike@sentex.net>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: automatic tables / self statement in pf.conf
Message-ID:  <20200120161629.7f5725d9@mr185033.univ-rennes1.fr>
In-Reply-To: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net>
References:  <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 20 Jan 2020 09:37:36 -0500
mike tancsa <mike@sentex.net> wrote:

> I have a process that runs every few min looking to see if the pf
> rules changed on some of our firewalls.=C2=A0 On one customer unit, we
> have a "self" statement and the script detected a change this
> morning.=C2=A0 The rule reads
>=20
> block log quick from <rejects> to self
> block log quick from self to <rejects>
>=20
> but when shown it looks like
>=20
> block drop log quick inet from <rejects> to <__automatic_32a5c00f_0>
> block drop log quick inet from <__automatic_32a5c00f_1> to <rejects>
>=20
> I guess 'self' is treated like a table ?

Yes.

> The diff that got flagged
> looked like
>=20
> -block drop log quick inet from <rejects> to <__automatic_786310c4_0>
> -block drop log quick inet from <__automatic_786310c4_1> to <rejects>
> +block drop log quick inet from <rejects> to <__automatic_32a5c00f_0>
> +block drop log quick inet from <__automatic_32a5c00f_1> to <rejects>
>=20
> What would trigger the table name to change like that ?=09

I think that names of automatic tables are more or less random. I've
got two firewalls using the same ruleset (pf.conf) and the name
of the automatic table for self is not the same on both.

I thing a simple pfctl -f will change the name.

> Also, is there a better way to monitor pf rule changes ?  I dont see
> any mention in FreeBSD audit ?

I don't know, may be the checksum changes when the ruleset changes ?

# pfctl -vvvv -si
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 11 days 05:32:26          Debug: Urgent

Hostid:   0x19478aad
=3D=3D=3D> Checksum: 0x964f5ae9bc221aa840ba7323cb649e32

Interface Stats for all               IPv4             IPv6
...

Regards,

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200120161629.7f5725d9>