Hi all,
I have a question concerning some differences in pf rules diplay with
regards to pfctl, pftop, and systat (using a 4.4 snapshot downloaded
today).
My scrub, NAT and filter sections in my 'pf.conf' look like this:
scrub on $wan_if random-id reassemble tcp
nat on $wan_if from !($wan_if) -> ($wan_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $lan_if proto tcp to port ftp -> 127.0.0.1 port 8021
block in on $wan_if
pass out on $wan_if inet all modulate state
pass in on $wan_if inet proto { tcp, udp } to any port 39415
anchor "ftp-proxy/*"
antispoof for { $lan_if }
This shows up as the following with pfctl:
$ sudo pfctl -s r
scrub on sis0 all random-id reassemble tcp fragment reassemble
block drop in on sis0 all
pass out on sis0 inet all flags S/SA modulate state
pass in on sis0 inet proto tcp from any to any port = 39415 flags S/SA
keep state
pass in on sis0 inet proto udp from any to any port = 39415 keep state
anchor "ftp-proxy/*" all
block drop in on ! sis1 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.1 to any
block drop in on sis1 inet6 from fe80::200:24ff:fec8:6939 to any
To get the rule numbers, I use the -vv flags for pfctl:
$ sudo pfctl -s r -vv
@0 scrub on sis0 all random-id reassemble tcp fragment reassemble
[ Evaluations: 4655 Packets: 1283 Bytes: 201983 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
@0 block drop in on sis0 all
[ Evaluations: 341 Packets: 4 Bytes: 2109 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
@1 pass out on sis0 inet all flags S/SA modulate state
[ Evaluations: 44 Packets: 581 Bytes: 195757 States: 3 ]
[ Inserted: uid 0 pid 18789 State Creations: 36 ]
@2 pass in on sis0 inet proto tcp from any to any port = 39415 flags
S/SA keep state
[ Evaluations: 44 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
@3 pass in on sis0 inet proto udp from any to any port = 39415 keep state
[ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
@4 anchor "ftp-proxy/*" all
[ Evaluations: 341 Packets: 58 Bytes: 4402 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 8 ]
@5 block drop in on ! sis1 inet from 192.168.1.0/24 to any
[ Evaluations: 333 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
@6 block drop in inet from 192.168.1.1 to any
[ Evaluations: 297 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
@7 block drop in on sis1 inet6 from fe80::200:24ff:fec8:6939 to any
[ Evaluations: 155 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18789 State Creations: 0 ]
So rule #4 is my 'anchor "ftp-proxy/*" all' for use by ftp-proxy.
Then, using pftop-0.7p0 I view the rule set again (output "shortened"
to avoid wrapping):
pfTop: Up Rule 1-8/8, View: rules, Cache: 10000
RULE ACTION DIR IF PR INFO
0 Block In sis0 drop all
1 Pass Out sis0 inet all flags S/SA
2 Pass In sis0 tcp inet from any to any port = 39415 flags S/SA
3 Pass In sis0 udp inet from any to any port = 39415
4 Pass Any all
5 Block In !sis1 drop inet from 192.168.1.0/24 to any
6 Block In drop inet from 192.168.1.1/32 to any
7 Block In sis1 drop inet6 from
fe80::200:24ff:fec8:6939/128 to any
And then finally using 'systat rules' (once again "shortened" to avoid
wrapping):
2 users Load 0.17 0.15 0.10
RULE ACTION DIR IF PR INFO
0 Block In sis0 drop all
1 Pass Out sis0 inet all flags S/SA
2 Pass In sis0 tcp inet from any to any port = 39415 flags S/SA
3 Pass In sis0 udp inet from any to any port = 39415
4 Pass In all
5 Block In !sis1 drop inet from 192.168.1.0/24 to any
6 Block In drop inet from 192.168.1.1/32 to any
7 Block In sis1 drop inet6 from
fe80::200:24ff:fec8:6939/128 to any
I have two questions concerning the different displays from the three programs:
1. Why do pftop and systat report rule #4 as a kind of "pass all" rule
when it's actually an 'anchor "ftp-proxy/*" all' rule? Is this normal
and expected?
2. Is it a bug for systat to report the direction of rule #4 as "In"
while pftop reports it as "Any"? I'm assuming the difference indicates
a bug in either one of the programs.
Thanks!
-Martin
