
Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
.pdfSection 15.5: Are packets passing through PF? |
257 |
|
|
# tcpdump -i ne0 -w ne0-capture
And if you wanted to read them later on, you'd use:
# tcpdump -r ne0-capture
Depending on your preferences, tcpdump(8) output can be made less verbose (-q) or more verbose (-vv). For faster operation, you might want to turn IP address to name translation with -n.
The real fun begins, when you use tcpdump(8) expressions. Expressions are used to Œlter packets and display only those that we are interested in, e.g. (displays packets sent from host whose address is 10.3.4.6):
# tcpdump -i ne0 src host 10.3.4.6
(displays packets sent to or from port 25):
# tcpdump -i ne0 port 25
You can run tcpdump on the Œrewall and the hosts surrounding it and watch the output of tcpdump(8) for speciŒc information. For example, if you wanted to know if your ruleset is letting packets from a certain host pass, use src host. similarly, the same parameter can help when you want to make sure that packets from a certain host do not pass through the Œrewall, when you see them, it is a sign that the ruleset ought to be adjusted.
When problems you are experiencing are difŒcult to spot, you might use ethereal (found in ports and packages), which makes tcpdump's output easier to understand. Should that fail, you may need to do some detective work, and for that you will use the -w option, which writes packets to a Œle. Later, with the help of tcpreplay That technique will be used in many cases, but tcpdump(8) can also help measure network performance Another useful debugging technique is turning packet Œltering off and replacing it with packet logging.
Then, after you captured some trafŒc, use tcpreplay (it's in the ports and packages) to send that trafŒc again. The captured packets can be sliced and pasted with tcpslice (also in packages). Other tools of interest are: tcptrace, tcpstat, and tcpshow.
258 |
Chapter 15: Testing Your Firewall |
|
|
15.6 Additional tools
It is impossible to list and describe all network and security tools that OpenBSD comes with. The following list ought to direct you in your search, and help you quickly Œnd the tool you are looking for. Please note that even if some tool you are looking for is not available in the ports or packages collection, it is probably available in source form on the Internet and can be built using the OpenBSD compiler tools. Be careful with code downloaded from the Internet and always download it from trusted sites.
ƒScanning, Œngerprinting tools: angst, arirang, cgichk, ettercap, Œrewalk, ndiff, nmap, p0f, portscanner, queso, scanssh, siphon, snifŒt, smbsniff, strobe, whisker, xprobe.
ƒScanning, Œngerprinting detection tools: aide, courtney, portsentry, smur- •og, snort, scanlogd, task.
ƒNetwork Intrusion Detection Systems (NIDS): libnids, snort.
ƒProtocol analysis tools: arpwatch, ethereal, parse, pcapmerge, ssldump, tcpdump.
ƒNetwork utilities: aggregate, arping, ctrace, dlint, fping, hping, libnet, nemesis, netpipes, ngrep, socket, tcpcat , tcp•ow, tcplist, tcpreen.
ƒNetwork performance monitoring tools: http_load, http_ping, iperf, ipfm, mtr, mrtg, netperf, netpipe, oproute, top, tcpbalst, trafd, trafshow, ttcp.
Chapter 16
Firewall Management
Firewalls built with OpenBSD and pf are specialized Unix systems and as such they are managed just like any other Unix-class system. A lot of concepts are similar, but there are a few differences, due to the fact that pf(4) is a complex piece of software and has its own management tool, pfctl(8).
16.1 General Operations
ƒEnable pf(4):
#pfctl -e
ƒDisable pf(4):
#pfctl -d
ƒEnable pf(4) and load the ruleset stored in /etc/pf.conf:
#pfctl -e -f /etc/pf.conf
16.2 Pfctl Output Control Options
ƒSuppress informational messages. Display error and warning messages only. Option -q. Can be used with other options.
ƒBe more verbose. Display additional information. Option -v. Can be used with other options.
ƒBe even more verbose. Display more information. Option -vv. Can be used with other options.
260 |
Chapter 16: Firewall Management |
|
|
16.3 Managing Rulesets
ƒLoad the whole ruleset from a Œle:
#pfctl -f /etc/pf.conf
ƒParse the ruleset stored in a Œle but don't load it. Good for ruleset debugging purposes:
#pfctl -n -f /etc/pf.conf
ƒLoad rules, or the whole ruleset from standard input (STDIN). Replace the name of the Œle with -, e.g.:
#echo "block in all" | pfctl -f -
ƒFlush everything:
#pfctl -F all
16.4 Managing Macros
ƒ DeŒne (or override) a macro:
# pfctl -D macro=value
e.g.:
# pfctl -D ext_if=ne0
When the value of the macro contains characters that may be interpreted by the shell, enclose everything after -D in single quotes:
# pfctl -D 'locals={192.168.22.32, 192.168.22.33}'
16.5 Managing Tables
ƒ Load only table deŒnitions for a Œle:
# pfctl -T load -f /etc/pf.conf
Section 16.5: Managing Tables |
261 |
|
|
ƒCreate an empty table. Works like adding an address to an existing table:
#pfctl -t sometable -T add 192.168.23.2
ƒAdd a new address to a table:
#pfctl -t sometable -T add 192.168.23.3
ƒDelete an address from a table:
#pfctl -t sometable -T delete 192.168.23.3
ƒReplace addresses from a table with address list loaded from a Œle:
#pfctl -t sometable -T replace -f addresses
ƒDisplay the list of all tables:
#pfctl -s Tables
ƒDisplay addresses in a table:
#pfctl -t sometable -T show
ƒCheck if the given address matches a table:
#pfctl -t sometable -T test 192.168.23.3
ƒCheck if the given addresses match a table:
#pfctl -t sometable -T test -f addresses
ƒClear all statistics for a table:
#pfctl -t sometable -T zero
ƒKill a table:
#pfctl -t sometable -T kill
262 |
Chapter 16: Firewall Management |
|
|
ƒFlush all addresses from a table:
# pfctl -t sometable -T flush
16.6 Managing pf Options
ƒLoad only options from a Œle:
# pfctl -O -f /etc/pf.conf
16.7 Managing Queues
ƒLoad only queue deŒnitions from a Œle:
#pfctl -A -f /etc/pf.conf
ƒDisplay queue deŒnitions:
#pfctl -s queue
ƒDisplay queue deŒnitions and per-queue statistics:
#pfctl -v -s queue
ƒDisplay and update queue deŒnitions and per-queue statistics. Updates are displayed every 5 seconds:
#pfctl -vv -s queue
ƒFlush queue deŒnitions:
#pfctl -F queue
16.8 Managing Packet Redirection Rules
ƒ Load only packet redirection rules from a Œle:
# pfctl -N -f /etc/pf.conf
Section 16.8: Managing Packet Redirection Rules |
263 |
|
|
ƒDisplay currently loaded packet redirection rules:
#pfctl -s nat
ƒFlush packet redirection rule deŒnitions:
#pfctl -F nat
16.9 Managing Packet Filtering Rules
ƒLoad only Œlter rules from a Œle:
#pfctl -R -f /etc/pf.conf
ƒDisplay Œltering rule deŒnitions:
#pfctl -s rules
ƒDisplay Œltering rule deŒnitions and per-rule statistics:
#pfctl -v -s rules
ƒFlush Œltering rule deŒnitions:
#pfctl -F rules
16.10 Managing Anchors
ƒLoad rules into anchor xyz:
#pfctl -a xyz -f somerules
ƒLoad rules into named ruleset abc of anchor xyz:
#pfctl -a xyz:abc -f somerules
ƒDisplay NAT rules form named ruleset abc of anchor xyz:
#pfctl -s nat -a xyz:abc
264 |
Chapter 16: Firewall Management |
|
|
Other modiŒers allowed in -F are: all, queue, rules, state, info, and tables.
ƒDisplay currently loaded anchors:
#pfctl -s Anchors
ƒDisplay currently loaded named rulesets in an anchor:
#pfctl -s Anchors -a someanchor
ƒFlush all rules from anchor xyz:
#pfctl -F all -a xyz
Other modiŒers allowed in -F are: nat, queue, rules, state, info, and tables.
ƒFlush all rules from ruleset abc of anchor xyz:
# pfctl -F all -a xyz:abc
Other modiŒers allowed in -F are: nat, queue, rules, state, info, and tables.
16.11 Managing States
ƒDisplay all states:
#pfctl -s state
ƒPerform DNS lookups on displayed states. Add the -r option when you are using the -s state option.
ƒKill all states originating from host abc:
#pfctl -k abc
ƒKill all states originating from host abc to host xyz:
Section 16.11: Managing States |
265 |
|
|
#pfctl -k abc -k xyz
ƒFlush states:
#pfctl -F states
ƒDisplay changes to the state table via pfsync(4):
#ifconfig pfsync0 up
#tcpdump -s1500 -evtni pfsync0
16.12 Managing Operating System Fingerprints
ƒDisplay all loaded operating system Œngerprints:
#pfctl -s osfp
ƒFlush all loaded operating system Œngerprints:
#pfctl -F osfp
16.13 Statistics
ƒ Display all stats:
# pfctl -s all
ƒ Display Œlter information (statistics and counters):
# pfctl -s info
ƒ Display current pool memory hard limits:
# pfctl -s memory
ƒ Display global timeouts:
# pfctl -s timeouts
266 |
Chapter 16: Firewall Management |
|
|
ƒ Display statistics for rules with labels:
# pfctl -s labels
16.14 Additional Tools for Managing pf
Although pfctl(8) is the best tool for managing pf(4), there are a few additional items you should know about, because they can greatly help you in you everyday work:
ƒ pfstat Š collects and plots pf(4) statistics.
http://benzedrine.cx/pfstat.html |
(pfstat) |
ƒ pftop Š similar to top(1) or ntop, displays basic pf(4) stats.
http://www.eee.metu.edu.fr/~canacar/pftop/ |
(pftop) |
ƒ fwanalog Š parses pf(4) logs and translates them into Analog format.
http://www.tud.at/programm/fwanalog |
(fwanalog) |