Date: Wed, 23 Dec 2009 00:50:09 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-pf@freebsd.org Subject: How to export / save and compare PF rule sets Message-ID: <4B315B31.7050902@quip.cz>
next in thread | raw e-mail | index | archive | help
Hi, I am planning to write script to check PF rulesets and send e-mail / SMS alerts on changes. I am planning to check rules periodically, on boot and save "current" state on shutdown. Compare rules on boot with state on shutdown and report differences, and check differences of current rules compared to well known (read only / signed file used at boot) The main problem is, that pfctl is not consistent in output when used on current (live) ruleset and on file. example: # pfctl -s a | egrep '^(binat|nat|rdr|scrub|block|pass) .*' > /var/tmp/pf_rules.current # pfctl -nvf /etc/pf.conf | egrep '^(binat|nat|rdr|scrub|block|pass) .*' > /var/tmp/pf_rules.boot # diff /var/tmp/pf_rules.boot /var/tmp/pf_rules.current 1,2d0 < scrub in on bge1 all fragment reassemble < scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble 6a5,6 > scrub in on bge1 all fragment reassemble > scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble As you can see, the scrub is placed to a different lines, but only if there are nat/rdr defined. scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr in case of "pfctl -nvf /etc/pf.conf" Is there any other way how can I export live and saved rules in the same format and the same order, ready to comparission by diff? Or can it be fixed in pfctl sources and commited? This is on FreeBSD 7.2-RELEASE GENERIC amd64. Can somebody test it on 8.0 or CURRENT? Thanks for any suggestions Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B315B31.7050902>