mike tancsa wrote on 2020/01/22 14:39:
On 1/22/2020 5:13 AM, Miroslav Lachman wrote:
mike tancsa wrote on 2020/01/20 15:37:
Also, is there a better way to monitor pf rule changes ? I dont see
any mention in FreeBSD audit ?
Monitoring of PF rules is kind of hard and not just because of
automatic tables. (automatic tables are created by optimizer not only
for self rules, optimizer can be disabled by -o none)
Thanks for these tips! The other thing I would like to monitor is just
if someone does something like pfctl -f
/tmp/bad.rules;do_bad_things;pfctl -f /etc/pf.conf. Ideally, an audit
event log would be fired that rules have been re-loaded. I think
TrustedBSD has such extensions
https://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel
My main purpose to monitor PF rules is to be notified when some
configuration accident happened. Once in the past I was surprised by
running machine for a week or two with empty rules. Or running with some
modified (not saved in pf.conf) rules until reboot and then half a year
later something broke after reboot.
Now I am notified about all this events. I don't need audit right now
but it is very interesting topic. TrustedBSD module looks interesting.
Thank you for pointing me on it!
Kind regards
Miroslav Lachman
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
