|
|
|
|
|
|
| Author |
Message |
Marco S Hyman
*nix forums beginner
Joined: 04 Mar 2005
Posts: 36
|
 Posted: Sat Mar 19, 2005 10:17 pm Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
sam <sam.wun@authtec.com> writes:
| Quote: | It works well with dynamic tables. How about dynamic nat and rdr rules?
I want to group all nat and rdr rules into one single file, then use pfctl
-e -f nat.conf to intialise PF before pf is enabled. But I m curious
|
Doesn't need to be in a separate file. See the -N option of pfctl.
| Quote: | How about define a list of port numbers in a text file and use pfctl -T
to load the table of port numbers into PF state tables?
|
I believe tables can only be used to store addresses, not ports.
Given that you can change this:
| Quote: | table <permitted_ports
pass in on {$ext_if,$int_if} proto tcp from any to any port =
permitted_ports> flags S/SA keep state
|
to something like this:
ports = "{ foo, bar, baz, ... }"
pass in on {$ext_if,$int_if} proto tcp from any to any port $ports \
flags S/SA keep state
But I prefer to list each open port in a separate rule (which is what
the above would expand too, anyway). It makes it easier to
change things, e.g. queuing, max-src-conn-rate, etc., on a per-port
basis.
// marc |
|
| Back to top |
|
 |
sam
*nix forums Guru Wannabe
Joined: 08 Mar 2005
Posts: 154
|
| Posted: Sat Mar 19, 2005 2:28 pm Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
sam wrote:
| Quote: | Marco S Hyman wrote:
sam <sam.wun@authtec.com> writes:
Can PF dynamically add/delete/modify Tables on the fly?
Yep. You can do it from pfctl *and* pf can do it from a ruleset.
Example:
# pfctl -t nasty -T show
list of addresses in the nasty table
Inside my pf.conf I've this:
----------
table <nasty> persist file "/etc/nasty"
....
block drop in quick from <nasty> to any
....
pass in proto tcp to <pubaddr> port ssh flags S/SA queue qext \
keep state (max-src-conn-rate 8/60, overload <nasty> flush
global)
----------
'table ...' defines the table nasty and initializes it from a file
'block ...' drops all connections from any address in the nasty table
'pas ...' allows incoming connections to ssh, but if I get 8 connections
in 60 seconds the address is added to the nasty table and all states
from that address are immediately flushed.
It works well with dynamic tables. How about dynamic nat and rdr rules?
I want to group all nat and rdr rules into one single file, then use
pfctl -e -f nat.conf to intialise PF before pf is enabled. But I m
curious whether pf will pass any everything in if I only enable nat and
rdr in the rules, eg:
nat on $ext_if from $int_net to $any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 25 -> {$int_mail} port 25
Without any block rules, it will be intially pass the traffic from port
25 to $int_mail.
Obvious this is not possible. |
How about define a list of port numbers in a text file and use pfctl -T
to load the table of port numbers into PF state tables?
eg. table and pass rules defined in pf.conf:
table <permitted_ports>
pass in on {$ext_if,$int_if} proto tcp from any to any port =
<permitted_ports> flags S/SA keep state
# pfctl -t permitted_ports -T add -f permitted_ports.conf
or
# pfctl -t permitted_ports -T replace -f permitted_ports.conf
Sam
| Quote: | Sam.
This is available in -current. I don't remember if it was in 3.6.
This is all described in the -current pf.conf(5).
// marc |
|
|
| Back to top |
|
|
sam
*nix forums Guru Wannabe
Joined: 08 Mar 2005
Posts: 154
|
| Posted: Sat Mar 19, 2005 8:07 am Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
Marco S Hyman wrote:
| Quote: | sam <sam.wun@authtec.com> writes:
Can PF dynamically add/delete/modify Tables on the fly?
Yep. You can do it from pfctl *and* pf can do it from a ruleset.
Example:
# pfctl -t nasty -T show
list of addresses in the nasty table
Inside my pf.conf I've this:
----------
table <nasty> persist file "/etc/nasty"
....
block drop in quick from <nasty> to any
....
pass in proto tcp to <pubaddr> port ssh flags S/SA queue qext \
keep state (max-src-conn-rate 8/60, overload <nasty> flush global)
----------
'table ...' defines the table nasty and initializes it from a file
'block ...' drops all connections from any address in the nasty table
'pas ...' allows incoming connections to ssh, but if I get 8 connections
in 60 seconds the address is added to the nasty table and all states
from that address are immediately flushed.
It works well with dynamic tables. How about dynamic nat and rdr rules? |
I want to group all nat and rdr rules into one single file, then use
pfctl -e -f nat.conf to intialise PF before pf is enabled. But I m
curious whether pf will pass any everything in if I only enable nat and
rdr in the rules, eg:
nat on $ext_if from $int_net to $any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 25 -> {$int_mail} port 25
Without any block rules, it will be intially pass the traffic from port
25 to $int_mail.
Sam.
| Quote: | This is available in -current. I don't remember if it was in 3.6.
This is all described in the -current pf.conf(5).
// marc |
|
|
| Back to top |
|
|
Tilman Bohn
*nix forums beginner
Joined: 14 Mar 2005
Posts: 5
|
| Posted: Fri Mar 18, 2005 3:18 pm Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
In message <iKedncIhCfwXdKffRVn-hw@comcast.com>,
Shane Almeida wrote on Fri, 18 Mar 2005 08:45:30 -0600:
[...]
| Quote: | Any chance of you posting the script somewhere? I started to implement
something similar, but never got around to finishing it.
|
Actually, mine is kinda unfinished too...  Seriously though, I'll
have to clean it up a bit, and at least add some comments about its
shortcomings. It's in two parts, one script that simply adds a given IP
to a pre-existing pf table (you'll have to have appropriate rules for the
table), and another tailing authlog and doing some additional bookkeeping
(e.g., remember the time added for each entry). The plan was to time out
entries after a configurable interval, but that's the part that's
unfinished.  Also I've been meaning to switch to using File::Tail
instead of my simple-minded while(<AL>) approach, which doesn't play nice
with log rotation.
Anyway, I just realized that if I want the timeout option at some point
I'll still have to keep using these scripts or an updated version even
with the -current pf, so I'll see if I can get it into a state fit to be
published over the weekend and tack on a license. (Right now I only have
it running on customers' sites, so it's only directly licensed to them.)
So no guarantees -- I have more than enough work cut out for me for
this weekend as it stands. But do check back here some time next week,
I'll let you know in this thread if and when I put it up somewhere. This
conversation actually re-incited my interest in the thing, so chances are
pretty good.
--
Cheers, Tilman
`Boy, life takes a long time to live...' -- Steven Wright |
|
| Back to top |
|
|
Shane Almeida
*nix forums beginner
Joined: 20 Feb 2005
Posts: 28
|
| Posted: Fri Mar 18, 2005 1:45 pm Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
On Fri, 18 Mar 2005 08:23:34 GMT, Tilman Bohn wrote:
| Quote: | It's not, at least according to the man page. Looking forward to
3.7 now, so I can retire my homegrown perl script doing something
equivalent by tailing authlog, which I've always considered a bit of
a hack (although it works).
|
Any chance of you posting the script somewhere? I started to implement
something similar, but never got around to finishing it. |
|
| Back to top |
|
|
Tilman Bohn
*nix forums beginner
Joined: 14 Mar 2005
Posts: 5
|
| Posted: Fri Mar 18, 2005 7:23 am Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
In message <x74qf9tvex.fsf@neko.snafu.org>,
Marco S Hyman wrote on Fri, 18 Mar 2005 05:17:02 GMT:
[...]
| Quote: | pass in proto tcp to <pubaddr> port ssh flags S/SA queue qext \
keep state (max-src-conn-rate 8/60, overload <nasty> flush global)
|
Nice!
[...]
| Quote: | This is available in -current. I don't remember if it was in 3.6.
|
It's not, at least according to the man page. Looking forward to
3.7 now, so I can retire my homegrown perl script doing something
equivalent by tailing authlog, which I've always considered a bit of
a hack (although it works).
Thanks for pointing this out!
--
Cheers, Tilman
`Boy, life takes a long time to live...' -- Steven Wright |
|
| Back to top |
|
|
Marco S Hyman
*nix forums beginner
Joined: 04 Mar 2005
Posts: 36
|
| Posted: Fri Mar 18, 2005 4:17 am Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
sam <sam.wun@authtec.com> writes:
| Quote: | Can PF dynamically add/delete/modify Tables on the fly?
|
Yep. You can do it from pfctl *and* pf can do it from a ruleset.
Example:
# pfctl -t nasty -T show
<list of addresses in the nasty table>
Inside my pf.conf I've this:
----------
table <nasty> persist file "/etc/nasty"
....
block drop in quick from <nasty> to any
....
pass in proto tcp to <pubaddr> port ssh flags S/SA queue qext \
keep state (max-src-conn-rate 8/60, overload <nasty> flush global)
----------
'table ...' defines the table nasty and initializes it from a file
'block ...' drops all connections from any address in the nasty table
'pas ...' allows incoming connections to ssh, but if I get 8 connections
in 60 seconds the address is added to the nasty table and all states
from that address are immediately flushed.
This is available in -current. I don't remember if it was in 3.6.
This is all described in the -current pf.conf(5).
// marc |
|
| Back to top |
|
|
Peter N. M. Hansteen
*nix forums addict
Joined: 19 Feb 2005
Posts: 86
|
| Posted: Thu Mar 17, 2005 2:00 pm Post subject:
Re: PF: Dynammically add/delete/modify Tables
|
|
|
sam <sam.wun@authtec.com> writes:
| Quote: | Can PF dynamically add/delete/modify Tables on the fly?
It looks likely does according to the following info from man pfctl:
|
yes, pfctl can do that.
| Quote: | Has anyone tried out this feature with pfctl?
|
yes. it works. some very minor examples reported at
http://www.bgnett.no/~peter/pf/en/tables.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" |
|
| Back to top |
|
|
sam
*nix forums Guru Wannabe
Joined: 08 Mar 2005
Posts: 154
|
| Posted: Thu Mar 17, 2005 1:53 pm Post subject:
PF: Dynammically add/delete/modify Tables
|
|
|
Hi,
Can PF dynamically add/delete/modify Tables on the fly?
It looks likely does according to the following info from man pfctl:
-T add Add one or more addresses in a table. Automati-
cally create a nonexisting table.
-T delete Delete one or more addresses from a table.
-T replace Replace the addresses of the table. Automatically
create a nonexisting table.
Has anyone tried out this feature with pfctl?
Thanks
Sam |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Thu Jan 08, 2009 1:11 pm | All times are GMT
|
|
Credit Report | Xecuter 3 Mod Chip | Myspace Backgrounds | Free phpBB forum | Debt Consolidation
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
BSD
»
OpenBSD
