Fafa Hafiz Krantz wrote:
Hey!
Here are some aliases I snagged of some dood on IRC:
How can these PF aliases be improved?
The last one doesn't really reload PF. I need to reboot for that.
alias pfdump 'tcpdump -n -e -ttt -r /var/log/pflog'
alias pfmon 'tcpdump -n -e -ttt -i pflog0'
alias pfreload 'pfctl -f /etc/pf.conf'
Thanks!
--
Fafa Hafiz Krantz
Research Designer @ http://www.bleed.no
add -l to tcpdump, check the man page; sometimes -X is good too but it
tends to disturb for general use
i like the `pfmon' alias (mine is called fw_log) you can use it like
tcpdump:
pfmon port 53 and ! arp
I use this little script too (especially as 'pf test' and 'pf reload'):
#!/bin/ksh
#
test -z "$1" && \
echo \
"syntax: $0 [test|reload|vi|block|bshow|bflush|show|flush]" && \
exit 1
table=badhosts
case "$1" in
test) pfctl -nf /etc/pf.conf
;;
reload) pfctl -f /etc/pf.conf
;;
vi) vi /etc/pf.conf
;;
block) test -z "$2" && exit 1
remote=$2
pfctl -t $table -T add $remote
pfctl -ss | grep $remote | \
awk '{ print "pfctl -k " $2 " -k " $4 }' | \
sed -e 's/:[0-9]*//g' | while read cmd
do
logger -it`basename $0` -- "killing session: $cmd"
eval $cmd
done
;;
bshow) pfctl -t $table -T show
;;
bflush) pfctl -t $table -T flush
;;
show) pfctl -sr
;;
flush) pfctl -F a
;;
*)
echo "wtf: '$1'?"
esac
exit $?
it uses this table at the very begining of /etc/pf.conf:
##
# blackhole
table <badhosts> persist
block quick log from <badhosts> to any
