From owner-freebsd-pf@freebsd.org Mon Jan 20 15:16:49 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5102C1FD841 for ; Mon, 20 Jan 2020 15:16:49 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender4-of-o59.zoho.com (sender4-of-o59.zoho.com [136.143.188.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 481ZyS1dgyz4dSw for ; Mon, 20 Jan 2020 15:16:47 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr [129.20.185.33]) by mx.zohomail.com with SMTPS id 1579533399975627.2012656076141; Mon, 20 Jan 2020 07:16:39 -0800 (PST) Date: Mon, 20 Jan 2020 16:16:29 +0100 From: Patrick Lamaiziere To: mike tancsa Cc: "freebsd-pf@freebsd.org" Subject: Re: automatic tables / self statement in pf.conf Message-ID: <20200120161629.7f5725d9@mr185033.univ-rennes1.fr> In-Reply-To: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> References: <5a989609-3366-bcc0-3e6f-d0ad29046f61@sentex.net> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Rspamd-Queue-Id: 481ZyS1dgyz4dSw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy when checking 136.143.188.59) smtp.mailfrom=patfbsd@davenulle.org X-Spamd-Result: default: False [-2.69 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.993,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[davenulle.org]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[59.188.143.136.list.dnswl.org : 127.0.15.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/24, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-1.60)[ipnet: 136.143.188.0/24(-4.72), asn: 2639(-3.21), country: US(-0.05)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2020 15:16:49 -0000 On Mon, 20 Jan 2020 09:37:36 -0500 mike tancsa wrote: > I have a process that runs every few min looking to see if the pf > rules changed on some of our firewalls.=C2=A0 On one customer unit, we > have a "self" statement and the script detected a change this > morning.=C2=A0 The rule reads >=20 > block log quick from to self > block log quick from self to >=20 > but when shown it looks like >=20 > block drop log quick inet from to <__automatic_32a5c00f_0> > block drop log quick inet from <__automatic_32a5c00f_1> to >=20 > I guess 'self' is treated like a table ? Yes. > The diff that got flagged > looked like >=20 > -block drop log quick inet from to <__automatic_786310c4_0> > -block drop log quick inet from <__automatic_786310c4_1> to > +block drop log quick inet from to <__automatic_32a5c00f_0> > +block drop log quick inet from <__automatic_32a5c00f_1> to >=20 > What would trigger the table name to change like that ?=09 I think that names of automatic tables are more or less random. I've got two firewalls using the same ruleset (pf.conf) and the name of the automatic table for self is not the same on both. I thing a simple pfctl -f will change the name. > Also, is there a better way to monitor pf rule changes ? I dont see > any mention in FreeBSD audit ? I don't know, may be the checksum changes when the ruleset changes ? # pfctl -vvvv -si No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 11 days 05:32:26 Debug: Urgent Hostid: 0x19478aad =3D=3D=3D> Checksum: 0x964f5ae9bc221aa840ba7323cb649e32 Interface Stats for all IPv4 IPv6 ... Regards,