On 1/22/2020 5:13 AM, Miroslav Lachman wrote: > mike tancsa wrote on 2020/01/20 15:37: >> Also, is there a better way to monitor pf rule changes ? I dont see >> any mention in FreeBSD audit ? > > Monitoring of PF rules is kind of hard and not just because of > automatic tables. (automatic tables are created by optimizer not only > for self rules, optimizer can be disabled by -o none) > Thanks for these tips! The other thing I would like to monitor is just if someone does something like pfctl -f /tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf. Ideally, an audit event log would be fired that rules have been re-loaded. I think TrustedBSD has such extensions
https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
